Managed Sentinel – Alert 072
| Alert ID | MS-A072 |
| Alert Name | Non owner Office 365 mailbox login activity |
| Description | This will help you determine if mailbox access observed with Admin/Delegate Logontype. The logon type indicates mailbox accessed from non-owner user. Exchange allows Admin and delegate permissions to access other user's inbox. |
| Severity Level | Medium |
| Threat Indicator | Elevation of Priviledge |
| MITRE ATT&CK Tactics | Initial Access |
| Log sources | Office 365 |
| False Positive | Recurrent and approved O365 operational activities within your organization |
| Recommendations | 1. Review generated events via Azure Sentinel console. 2. If delegated access is provided to given users, you can whitelist those and investigate the rest of results. |