Exchange Online admin access is high leverage. A single compromised admin account, an over-permissioned role group, or a risky app registration can turn email into an access broker for the rest of the tenant. The goal in most intrusions is not “Exchange takeover” as an end state. The goal is durable collection, silent diversion of sensitive mail, impersonation capability, and the ability to change mail flow so that fraud and persistence survive password resets.
Microsoft’s telemetry and guidance around mailbox compromise investigations, audit log usage, connector abuse, and forwarding-rule alerts all point to the same operational theme: attackers like changes that look like “normal administration,” then they hide inside the gap between identity logs, Exchange admin logs, and mailbox audit trails.
Exchange Online administration can directly modify how mail is delivered, who can access mailboxes, which accounts can send as which identities, and which messages get redirected or suppressed. Many of these changes do not require malware on endpoints. They can be executed from a browser session or PowerShell using an admin token, leaving defenders to piece together intent from audit artifacts and configuration state.
TIC-grade defenders usually treat identity compromise as the “real” incident and Exchange changes as symptoms. In practice, Exchange configuration changes often become the persistence mechanism, even after identity containment begins.
Abuse Pattern 1: Privilege expansion inside Exchange RBAC
A common path is adding a user to a privileged Exchange role group or creating a new role group that looks legitimate. Exchange Online permissions are governed by RBAC role groups, and the “Organization Management” role group and related role management capabilities are the keys that let an attacker grant themselves more Exchange authority.
What to watch for in telemetry and configuration state
Look for new or unusual membership changes to Exchange admin role groups, plus any new role group creations that mimic default naming. Pair that with sign-in anomalies for the actor, then verify whether the actor performed mailbox permission changes, mail flow changes, or forwarding configuration changes soon after.
If your SOC already monitors Entra ID role assignments, do not stop there. Exchange RBAC can be abused in ways that look like routine admin operations inside the Exchange admin center.
Abuse Pattern 2: Mailbox permission grants for covert access
After privilege foothold, a favored move is granting FullAccess, SendAs, or Send on Behalf to an attacker-controlled principal on targeted mailboxes. This enables collection and impersonation that can persist even after a user’s password reset, since mailbox permissions can outlive session tokens and may not trigger the same user-facing signals as a direct login.
The Add-MailboxPermission cmdlet is a canonical artifact for this behavior, and it is a useful anchor for hunting in unified audit records.
A practical approach is to hunt for mailbox permission changes scoped to executives, finance, procurement, and shared mailboxes used for vendor communications. Then pivot into mailbox audit records for actual access events on those mailboxes to confirm use after grant. Mailbox auditing is on by default in Exchange Online, and those events are searchable through Microsoft Purview Audit.
Abuse Pattern 3: Silent diversion using mailbox forwarding and inbox rules
Business email compromise frequently relies on auto-forwarding and inbox rules to divert invoices, suppress security notifications, or copy all correspondence to an external mailbox. Microsoft publishes investigation playbooks for suspicious inbox forwarding and inbox manipulation rules, which is a good indicator that this remains one of the most common persistence and fraud-enablement tactics.
There are two dimensions worth separating during investigations:
- One is mailbox-level forwarding, often called SMTP forwarding, which can redirect mail without creating a visible inbox rule for the user.
- The other is inbox rules and other mailbox rules that move, delete, redirect, or forward messages based on keywords, sender identity, or header traits.
Outbound spam policies can also control automatic external forwarding, and Microsoft documents how disabling automatic forwarding blocks inbox rules and mailbox forwarding that redirect to external addresses. This matters during containment because it can serve as a tenant-wide mitigation that does not depend on finding every single malicious rule first.
For attribution and scoping, Microsoft provides guidance on using audit logs to identify who created or modified mailbox rules and how to investigate these scenarios using Purview Audit.
Abuse Pattern 4: Mail flow connectors used for spam, exfiltration, or delivery manipulation
Connectors can be used legitimately to support hybrid mail flow or third-party mail hygiene. Attackers also use them to send spam, bypass controls, or reroute mail. Microsoft’s guidance includes response steps for compromised connectors, and Microsoft Defender has alert classification material for malicious connector activity.
From a detection engineering angle, inbound and outbound connector creation or modification operations such as New-InboundConnector and Set-InboundConnector are strong signals when they occur outside planned change windows. Third-party rulesets also anchor on these operations for monitoring Exchange audit logs.
One operational pitfall: organizations sometimes discover rogue connector behavior and cannot immediately find “who did it” in their audit searches. When that happens, the right next step is to validate audit ingestion configuration, permissions to search audit logs, and whether the relevant activity is recorded in the unified audit log data set for your licensing and retention configuration. Microsoft’s audit troubleshooting guidance exists for exactly this class of problem.
Abuse Pattern 5: Application access to mailboxes using Exchange application RBAC
Modern intrusions increasingly rely on app-based access, not user sessions. In Exchange Online, “RBAC for Applications” allows admins to grant an application permissions to access Exchange data, optionally scoped to a subset of mailboxes. This replaces older Application Access Policies and creates a clean persistence channel for an attacker that has reached administrative control.
If an attacker registers an app, grants it Exchange access, and then operates via that app identity, mailbox data access can happen without interactive logons by the targeted users. That is attractive for stealth and for operational stability during credential resets.
In practice, you want correlation between Entra ID audit logs for app consent and role assignment, Exchange application RBAC changes, then mailbox audit activity that reflects non-owner access patterns.
Audit data: what you can reliably use, and what you must validate
A lot of Exchange abuse investigations fail due to incomplete audit coverage, not lack of attacker activity.
Microsoft Purview Audit search is built on unified audit logging, and Search-UnifiedAuditLog is the underlying cmdlet used for searches. Retention differs by licensing, and Microsoft documents that audit records for Entra ID, Exchange, and SharePoint are retained for one year by default for E5-class licensing, while other licensing retains audit records for shorter periods. If you are doing incident response in a tenant with shorter retention, the window for reliable reconstruction is tighter than many teams assume.
Mailbox auditing is turned on by default in Exchange Online, and Microsoft documents how admins can manage mailbox auditing and search mailbox audit records. This is the data you want for questions like “did the attacker actually open messages” and “what was accessed after permissions were granted.”
Also watch for defensive evasion attempts that affect logging itself. Microsoft documents that audit log ingestion can be turned off using Set-AdminAuditLogConfig with UnifiedAuditLogIngestionEnabled set to false. If this setting changes during or before suspicious activity, treat it as high severity.
Practical hunting with Search-UnifiedAuditLog
Below are example pivots you can adapt. Exact operations and fields vary by workload and record type, so treat these as starting points, then refine based on what appears in your tenant’s audit schema and the “Operations” values you see in results.
Search-UnifiedAuditLog is the documented foundation for these searches, and Microsoft’s Purview Audit guidance includes workflow-level direction on running audit log searches and troubleshooting gaps.
Response actions that reduce repeat abuse
During active response, it is common to focus on resetting passwords and revoking sessions while leaving mail persistence intact. Microsoft’s compromised email account response guidance is useful for keeping remediation anchored in what attackers actually change inside mailboxes.
A strong containment move for many tenants is tightening outbound auto-forwarding across the org using outbound spam policies, then allowing exceptions only where required. Microsoft documents how these policies affect inbox rules and mailbox forwarding to external recipients. That can stop a major class of persistence quickly, even before you have full scoping.
If connectors are in scope, Microsoft’s connector compromise response steps focus on reviewing connectors in the Exchange admin center, removing unknown connectors, and reverting unauthorized configuration. Pair that with audit searches for connector operations so you can identify the actor and the time window.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
Netizen Blog and News 
Leave a comment