heroui logo

O365 Mailbox Inbox Folder Shared with All Users

Splunk Security Content

View Source
Summary
This detection rule identifies potential security risks where an Office 365 mailbox's inbox folder is shared with all users in the tenant. Such a situation arises when the 'Inbox' folder permissions are altered to include 'Everyone' with read rights. The rule monitors Office 365 management activity events and becomes critical as such modifications may indicate unauthorized access to sensitive emails, leading to possible data breaches or other malicious vectors like phishing attempts. The rule utilizes the O365 ModifyFolderPermissions data source and assesses modifications by tracking the specific permissions granted to members. It captures relevant activity spans and extracts details about the users responsible for these modifications, making it a useful tool for ensuring compliance and identifying potential misuse of permissions in an organizational context.
Categories
  • Cloud
  • Identity Management
  • Other
Data Sources
  • Pod
  • Container
  • User Account
  • Windows Registry
  • Script
  • Image
  • Web Credential
  • Named Pipe
  • Certificate
  • WMI
  • Cloud Storage
  • Internet Scan
  • Persona
  • Group
  • Application Log
  • Logon Session
  • Instance
  • Sensor Health
  • File
  • Drive
  • Snapshot
  • Command
  • Kernel
  • Driver
  • Volume
  • Cloud Service
  • Malware Repository
  • Network Share
  • Network Traffic
  • Scheduled Job
  • Firmware
  • Active Directory
  • Service
  • Domain Name
  • Process
  • Firewall
  • Module
  • Application Log
  • Logon Session
ATT&CK Techniques
  • T1114
  • T1114.002
Created: 2024-11-14