MITRE ATT&CK Technique
Description
Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email account. For example, the <code>Add-MailboxPermission</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018) In Google Workspace, delegation can be enabled via the Google Admin console and users can delegate accounts via their Gmail settings.(Citation: Gmail Delegation)(Citation: Google Ensuring Your Information is Safe) Adversaries may also assign mailbox folder permissions through individual folder permissions or roles. In Office 365 environments, adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user’s mail folders.(Citation: Mandiant Defend UNC2452 White Paper) This may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can add [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-01-19T16:54:28.516Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may grant additional permission levels to '
'maintain persistent access to an adversary-controlled email '
'account. \n'
'\n'
'For example, the <code>Add-MailboxPermission</code> '
'[PowerShell](https://attack.mitre.org/techniques/T1059/001) '
'cmdlet, available in on-premises Exchange and in the '
'cloud-based service Office 365, adds permissions to a '
'mailbox.(Citation: Microsoft - '
'Add-MailboxPermission)(Citation: FireEye APT35 '
'2018)(Citation: Crowdstrike Hiding in Plain Sight 2018) In '
'Google Workspace, delegation can be enabled via the Google '
'Admin console and users can delegate accounts via their Gmail '
'settings.(Citation: Gmail Delegation)(Citation: Google '
'Ensuring Your Information is Safe) \n'
'\n'
'Adversaries may also assign mailbox folder permissions '
'through individual folder permissions or roles. In Office 365 '
'environments, adversaries may assign the Default or Anonymous '
'user permissions or roles to the Top of Information Store '
'(root), Inbox, or other mailbox folders. By assigning one or '
'both user permissions to a folder, the adversary can utilize '
'any other account in the tenant to maintain persistence to '
'the target user’s mail folders.(Citation: Mandiant Defend '
'UNC2452 White Paper)\n'
'\n'
'This may be used in persistent threat incidents as well as '
'BEC (Business Email Compromise) incidents where an adversary '
'can add [Additional Cloud '
'Roles](https://attack.mitre.org/techniques/T1098/003) to the '
'accounts they wish to compromise. This may further enable use '
'of additional techniques for gaining access to systems. For '
'example, compromised business accounts are often used to send '
'messages to other accounts in the network of the target '
'business while creating inbox rules (ex: [Internal '
'Spearphishing](https://attack.mitre.org/techniques/T1534)), '
'so the messages evade spam/phishing detection '
'mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019)',
'external_references': [{'external_id': 'T1098.002',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1098/002'},
{'description': 'Bienstock, D.. (2019). BECS and '
'Beyond: Investigating and Defending '
'O365. Retrieved November 17, 2024.',
'source_name': 'Bienstock, D. - Defending O365 - '
'2019',
'url': 'https://www.slideshare.net/slideshow/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365/128744511'},
{'description': 'Crowdstrike. (2018, July 18). Hiding '
'in Plain Sight: Using the Office 365 '
'Activities API to Investigate '
'Business Email Compromises. '
'Retrieved January 19, 2020.',
'source_name': 'Crowdstrike Hiding in Plain Sight '
'2018',
'url': 'https://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/'},
{'description': 'Google. (2011, June 1). Ensuring '
'your information is safe online. '
'Retrieved April 1, 2022.',
'source_name': 'Google Ensuring Your Information is '
'Safe',
'url': 'https://googleblog.blogspot.com/2011/06/ensuring-your-information-is-safe.html'},
{'description': 'Google. (n.d.). Turn Gmail '
'delegation on or off. Retrieved '
'April 1, 2022.',
'source_name': 'Gmail Delegation',
'url': 'https://support.google.com/a/answer/7223765?hl=en'},
{'description': 'Mandiant. (2018). Mandiant M-Trends '
'2018. Retrieved November 17, 2024.',
'source_name': 'FireEye APT35 2018',
'url': 'https://static.carahsoft.com/concrete/files/1015/2779/3571/M-Trends-2018-Report.pdf'},
{'description': 'Mandiant. (2021, January 19). '
'Remediation and Hardening Strategies '
'for Microsoft 365 to Defend Against '
'UNC2452. Retrieved January 22, 2021.',
'source_name': 'Mandiant Defend UNC2452 White Paper',
'url': 'https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452'},
{'description': 'Microsoft. (n.d.). Add-Mailbox '
'Permission. Retrieved September 13, '
'2019.',
'source_name': 'Microsoft - Add-MailboxPermission',
'url': 'https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps'}],
'id': 'attack-pattern--e74de37c-a829-446c-937d-56a44f0e9306',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:49:32.801Z',
'name': 'Additional Email Delegate Permissions',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Microsoft Detection and Response Team (DART)',
'Mike Burns, Mandiant',
'Jannie Li, Microsoft Threat Intelligence\u202f'
'Center\u202f(MSTIC)',
'Arad Inbar, Fidelis Security',
'Nilesh Dherange (Gurucul)',
'Naveen Vijayaraghavan'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows', 'Office Suite'],
'x_mitre_version': '2.2'}