Quick Mail Consent (MS O365)
The Mail.Read
and Mail.ReadWrite
delegated permissions are extremely sensitive permissions that can allow access to user email without a signed-in user. Secureworks® Taegis™ XDR’s Office 365 Quick Mail Consent Detector monitors your Office 365 audit logs for applications granted Mail.Read
or Mail.ReadWrite
permissions, and related application consent logs that occur within a short period of time. The time period is calibrated according to attack patterns by known threat actors. Due to the sensitivity of the permission set being monitored and the detector monitoring for fully consented applications, alerts produced by this detector contain a high severity rating. Suppression is supported.
O365 Quick Mail Consent Detector Alert
Requirements ⫘
This detector requires the following data sources, integrations, or schemas:
- Microsoft Office 365 Management API audit logs
- Microsoft Office 365 audit logs collected through the Microsoft Office 365 Management API integration and normalized to the CloudAudit schema in the XDR data lake.
Inputs ⫘
Detections are from the following normalized sources:
- Cloud Audit (MS O365 Management API Audit Logs)
Outputs ⫘
Alerts from this detector are pushed to the XDR Alert Database and Alert Triage Dashboard.
Configuration Options ⫘
This detector is enabled by default when the required data sources or integrations are available in the tenant.
MITRE ATT&CK Category ⫘
- MITRE Enterprise ATT&CK - Defense Evasion - Valid Accounts - Cloud Accounts. For more information, see MITRE Technique T1078.004.
- MITRE Enterprise ATT&CK - Persistence - Account Manipulation - Exchange Email Delegate Permissions. For more information, see MITRE Technique T1098.002.
Detector Testing ⫘
This detector does not have a supported testing method, though an Advanced Search will verify if alerts originated with this detector.
Note
If no supported testing method is available, an Advanced Search will show you if any alerts came from this detector if a qualifying event was observed. A search with no results does not indicate the detector is not working. A lack of search results for the detector may only indicate that the specific attack has not been observed in the tenant. However, it could indicate the underlying data is not available. Ensure the required schemas are provided in Data Sources along with the supported device type(s) for that schema.
FROM alert WHERE metadata.creator.detector.detector_id='app:detect:o365-quick-mail-consent'
References ⫘
- Schemas