Proposal: Create a new Defender policy to check for users with their mailbox audit logging bypassed #1417
Labels
baseline-document
Issues relating to the text in the baseline documents themselves
enhancement
This issue or pull request will add new or improve existing functionality
hands-on-prototyping
Reviewing an M365 feature by performing hands-on prototyping
Comments
tkol2022
added
baseline-document
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
💡 Summary
This is a new Defender policy proposal that can be voted on by the team. It is also dependent on hands-on prototyping to understand how the feature works in practice to determine its feasibility for Scuba. This may also dependent on ScubaGear implementing per-user checks which is currently being investigated.
I suggest to implement a new policy to check for users that have their mailbox audit logging set to bypass. According to Microsoft, "you can't disable mailbox auditing for specific mailboxes when mailbox auditing on by default is turned on in your organization. However, you can still use the Set-MailboxAuditBypassAssociation cmdlet in Exchange Online PowerShell to prevent all mailbox actions by the specified users from being logged." This seems like the perfect configuration for an adversary to hide their tracks when targeting the emails of specific users.
Motivation and context
Help prevent adversaries from performing defense evasion during email cyber attacks.
The text was updated successfully, but these errors were encountered: