Office Protect Event - Email Impersonation

Exchange gives the ability for authorized users to send emails as someone else. This can be used as part of larger operations that include phishing, or for internal abuse. 


This differs from using “Send On Behalf” which is much more transparent. Shared mailboxes are ignored for this event.


Remediation


This action should not be considered as normal, best practice for organization would be to encourage users to send email using the “Send on Behalf” functionality instead of “Send As”, whenever possible, to ensure full transparency and mitigate risk, whether is fishing or internal risks. 


“Send As” from an important user in the organization should be automatically investigation for privilege abuse or phishing attempts. 


If the action is considered as unusual, investigate if the user that performed the “Send As” action had other activities on the account that can be considered as suspicious. Here are a few examples:


Check for any Office Protect events related to this user such as:

  • Sign-in from an Unauthorized Country
  • Admin Role Change
  • Account Created, etc. 


You can find all the Office Protect events related to a user in the Report section.


Overview of mailbox permissions for Exchange: https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/give-mailbox-permissions-to-another-user?view=o365-worldwide