Office Protect Event - Mailbox Access by non-owner

Whenever someone who is not the owner accesses a mailbox, this event will trigger.

 

Privilege escalation is a big target for hackers. One reason is that it grants access to multiple accounts without having to hack them all. This event is a sign that a hacker is exploring your data. It can also point to internal actors misbehaving and abusing their access. Opening a Shared Mailboxes will not trigger this event.

 

Note that this events, depending on how many people have delegated access to your organization, generates a lot of alerts. Here are a few use cases that triggers the event: 

  • Delegated user opens another user’s mailbox
  • Delegated user opens another user’s calendar
  • Outlook Windows Client resynchronizes with the Exchange Server
  • Delegated user opens up the an Outlook Client from a new computer

 

Remediation


We always recommend using Shared Mailboxes if multiple users need access to certain emails, and avoid Mailbox Delegation as much as possible in an organization. You can remove mailbox delegation from a mailbox through the Exchange Admin Center.

 

Unfortunately, there is no way to prevent users from using Mailbox Delegation, but we recommend that you audit Mailbox Delegation regularly. A full Mailbox Delegation report is available in Office Protect Advanced Reporting.

 

Microsoft Documentation on Mailbox Delegation: https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/give-mailbox-permissions-to-another-user?view=o365-worldwide