Account Manipulation: Additional Email Delegate Permissions, Sub-technique T1098.002 - Enterprise | MITRE ATT&CK®

Account Manipulation: Additional Email Delegate Permissions, Sub-technique T1098.002 - Enterprise | MITRE ATT&CK®
Currently viewing
ATT&CK v17.1
which was live between April 22, 2025 and October 27, 2025.
Learn more about the versioning system
or
see the live site
Techniques
Enterprise
Account Manipulation
Additional Email Delegate Permissions
Account Manipulation:
Additional Email Delegate Permissions
Other sub-techniques of Account Manipulation (7)
ID
Name
T1098.001
Additional Cloud Credentials
T1098.002
Additional Email Delegate Permissions
T1098.003
Additional Cloud Roles
T1098.004
SSH Authorized Keys
T1098.005
Device Registration
T1098.006
Additional Container Cluster Roles
T1098.007
Additional Local or Domain Groups
Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account.
For example, the
Add-MailboxPermission
PowerShell
cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.
[1]
[2]
[3]
In Google Workspace, delegation can be enabled via the Google Admin console and users can delegate accounts via their Gmail settings.
[4]
[5]
Adversaries may also assign mailbox folder permissions through individual folder permissions or roles. In Office 365 environments, adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user’s mail folders.
[6]
This may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can add
Additional Cloud Roles
to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex:
Internal Spearphishing
), so the messages evade spam/phishing detection mechanisms.
[7]
ID:
T1098.002
Sub-technique of:
T1098
Tactics:
Persistence
Privilege Escalation
Platforms:
Office Suite, Windows
Contributors:
Arad Inbar, Fidelis Security; Jannie Li, Microsoft Threat Intelligence Center (MSTIC); Microsoft Detection and Response Team (DART); Mike Burns, Mandiant; Naveen Vijayaraghavan; Nilesh Dherange (Gurucul)
Version:
2.2
Created:
19 January 2020
Last Modified:
15 April 2025
Version Permalink
Live Version
Procedure Examples
ID
Name
Description
G0007
APT28
APT28
has used a Powershell cmdlet to grant the
ApplicationImpersonation
role to a compromised account.
[8]
G0016
APT29
APT29
has used a compromised global administrator account in Azure AD to backdoor a service principal with
ApplicationImpersonation
rights to start collecting emails from targeted mailboxes;
APT29
has also used compromised accounts holding
ApplicationImpersonation
rights in Exchange to collect emails.
[9]
[10]
C0038
HomeLand Justice
During
HomeLand Justice
, threat actors added the
ApplicationImpersonation
management role to accounts under their control to impersonate users and take ownership of targeted mailboxes.
[11]
G0059
Magic Hound
Magic Hound
granted compromised email accounts read access to the email boxes of additional targeted accounts. The group then was able to authenticate to the intended victim's OWA (Outlook Web Access) portal and read hundreds of email communications for information on Middle East organizations.
[2]
C0024
SolarWinds Compromise
During the
SolarWinds Compromise
APT29
added their own devices as allowed IDs for active sync using
Set-CASMailbox
, allowing it to obtain copies of victim mailboxes. It also added additional permissions (such as Mail.Read and Mail.ReadWrite) to compromised Application or Service Principals.
[12]
[13]
[14]
Mitigations
ID
Mitigation
Description
M1042
Disable or Remove Feature or Program
If email delegation is not required, disable it. In Google Workspace this can be accomplished through the Google Admin console.
[4]
M1032
Multi-factor Authentication
Use multi-factor authentication for user and privileged accounts.
M1026
Privileged Account Management
Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
Detection
ID
Data Source
Data Component
Detects
DS0015
Application Log
Application Log Content
Enable the UpdateFolderPermissions action for all logon types. The mailbox audit log will forward folder permission modification events to the Unified Audit Log. Create rules to alert on ModifyFolderPermissions operations where the Anonymous or Default user is assigned permissions other than None.
A larger than normal volume of emails sent from an account and similar phishing emails sent from real accounts within a network may be a sign that an account was compromised and attempts to leverage access with modified email permissions is occurring.
DS0036
Group
Group Modification
Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions (including memberships in privileged groups) being granted to compromised accounts.
DS0002
User Account
User Account Modification
Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions being granted to compromised accounts.
References
Microsoft. (n.d.). Add-Mailbox Permission. Retrieved September 13, 2019.
Mandiant. (2018). Mandiant M-Trends 2018. Retrieved November 17, 2024.
Crowdstrike. (2018, July 18). Hiding in Plain Sight: Using the Office 365 Activities API to Investigate Business Email Compromises. Retrieved January 19, 2020.
Google. (n.d.). Turn Gmail delegation on or off. Retrieved April 1, 2022.
Google. (2011, June 1). Ensuring your information is safe online. Retrieved April 1, 2022.
Mandiant. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved January 22, 2021.
Bienstock, D.. (2019). BECS and Beyond: Investigating and Defending O365. Retrieved November 17, 2024.
NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.
Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.
Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.