Triggers
- Access has been granted to more resources than a user has had historically and has occurred outside of learned administrator behaviors.
Possible Root Causes
- An attacker has escalated the account’s Exchange access rights to enable business email compromise or the collection of additional information to aid in the next step of the attack.
- Employee life-cycle activities such as permanent separation or temporary leaves of absence may legitimately require mailbox modifications which could trigger this detection.
- Some service-specific mailboxes are intentionally granted these permissions.
Business Impact
- Sensitive data and content may be contained within Exchange which may be useful or desirable to an adversary.
- Data may leak from a user’s mailbox by being transmitted to unauthorized entities.
Steps to Verify
- Validate that the permissions granted are appropriate to the entity in question.