Office Protect Event - Mailbox Access granted to Non-Owner

Whenever access to a mailbox is permanently granted to someone who is not the owner of the mailbox, this event will trigger. 


Privilege escalation is a big target for hackers, as it grants access to multiple accounts without having to hack them all. This event can be a sign that a hacker is exploring your data. It can also point to internal actors misbehaving and abusing their access.


Remediation


We always recommend using Shared Mailboxes if multiple users need to access to certain emails and avoid Mailbox Delegation as much as possible in an organization. You can remove mailbox delegation from a mailbox through the Exchange Admin Center. 

 

Unfortunately, there are no way to prevent users from using Mailbox Delegation, but we recommend that you audit Mailbox Delegation regularly. A full Mailbox Delegation report is available in Office Protect Advanced Reporting.

 

Microsoft Documentation on Mailbox Delegation: https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/give-mailbox-permissions-to-another-user?view=o365-worldwide