Forum Discussion

MikeP751860's avatar
MikeP751860
Brass Contributor
Sep 27, 2023

OfficeActivity - Rare and potentially high-risk Office operations and automation

Hi,

 

We are receiving a number of "OfficeActivity - Rare and potentially high-risk Office operations" alerts for users who are setting up mailbox GrantSendOnBehaveOf and creating mail moving rules.

 

Wondered what modifications to the analytic rule people have made to reduce the noise or any automation to ask the end user if they made the reported change (maybe with some verification to confirm the end user).

 

Regards

 

Mike

  • Tobias_Moe's avatar
    Tobias_Moe
    Copper Contributor
    Hi, I actually have not changed this rule myself yet. But my initial thought is to look at the mailboxes being shared, and to which users. From my experience, the most common false positive for this is people sharing access to their mailbox for a short period because they are going on vacation or sick leave or something else. So I would not say it is malicious to share your inbox internally. However, if shared externally and to another domain it would be more suspicious.
    • Tobias_Moe's avatar
      Tobias_Moe
      Copper Contributor
      Another point, look for newly created users as well as that could be potential internal suspicious user getting access
    • MikeP751860's avatar
      MikeP751860
      Brass Contributor
      Monkey_D_Luffy No tuned it yet but when I do I'm adding NT AUTHORITY\\SYSTEM (Microsoft.Exchange.AdminApi.NetCore) to be filtered out as we are getting events from the account.

Resources