Detects Azure shared mailboxes that have interactive login enabled.

Many people believe that shared mailboxes can never be logged into and are surprised to learn that when an Azure shared mailbox is created, sign-in capabilities are actually enabled by default. Adversaries target these accounts as they typically do not have MFA configured. If they gain access to a shared mailbox, they may assign additional user permissions to the root inbox or other mailbox folders, allowing them to utilize any other account in the tenant to maintain access to the target user's mail folders.

Recommended Actions

Review if this mailbox is meant to have interactive logins.

If there is any unexpected behavior, adjust the mailbox's settings in Azure to block sign-in for the shared mailbox account.

Compatibility

Microsoft Entra ID