Description
Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account.
For example, the Add-MailboxPermission PowerShell cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018) In Google Workspace, delegation can be enabled via the Google Admin console and users can delegate accounts via their Gmail settings.(Citation: Gmail Delegation)(Citation: Google Ensuring Your Information is Safe)
Adversaries may also assign mailbox folder permissions through individual folder permissions or roles. In Office 365 environments, adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user’s mail folders.(Citation: Mandiant Defend UNC2452 White Paper)
This may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can add Additional Cloud Roles to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: Internal Spearphishing), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019)
Platforms
Mitigations (3)
Privileged Account ManagementM1026
Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
Multi-factor AuthenticationM1032
Use multi-factor authentication for user and privileged accounts.
Disable or Remove Feature or ProgramM1042
If email delegation is not required, disable it. In Google Workspace this can be accomplished through the Google Admin console.(Citation: Gmail Delegation)
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) granted compromised email accounts read access to the email boxes of additional targeted accounts... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has used a Powershell cmdlet to grant the <code>ApplicationImpersonation</code> role to a compromised a... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used a compromised global administrator account in Azure AD to backdoor a service principal with `A... |
References
- Bienstock, D.. (2019). BECS and Beyond: Investigating and Defending O365. Retrieved November 17, 2024.
- Crowdstrike. (2018, July 18). Hiding in Plain Sight: Using the Office 365 Activities API to Investigate Business Email Compromises. Retrieved January 19, 2020.
- Google. (2011, June 1). Ensuring your information is safe online. Retrieved April 1, 2022.
- Google. (n.d.). Turn Gmail delegation on or off. Retrieved April 1, 2022.
- Mandiant. (2018). Mandiant M-Trends 2018. Retrieved November 17, 2024.
- Mandiant. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved January 22, 2021.
- Microsoft. (n.d.). Add-Mailbox Permission. Retrieved September 13, 2019.
Frequently Asked Questions
What is T1098.002 (Additional Email Delegate Permissions)?
T1098.002 is a MITRE ATT&CK technique named 'Additional Email Delegate Permissions'. It belongs to the Persistence, Privilege Escalation tactic(s). Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. For example, the <code>Add-MailboxPermission</code> [PowerShell](https://at...
How can T1098.002 be detected?
Detection of T1098.002 (Additional Email Delegate Permissions) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1098.002?
There are 3 documented mitigations for T1098.002. Key mitigations include: Privileged Account Management, Multi-factor Authentication, Disable or Remove Feature or Program.
Which threat groups use T1098.002?
Known threat groups using T1098.002 include: Magic Hound, APT28, APT29.