Shared Mailbox Successful Sign In

Detects Azure shared mailboxes with successful interactive logins in the last 7 days. Many people believe that shared mailboxes can never be logged into and are surprised to learn that when an Azure shared mailbox is created, sign in capabilities are actually enabled by default. Adversaries target these accounts as they typically do not have MFA configured. If they gain access to a shared mailbox, they may assign additional user permissions to the root inbox or other mailbox folders, allowing them to utilize any other account in the tenant to maintain access to the target user's mail folders.

Recommended Actions

Review if this was a legitimate login and if this mailbox is meant to have interactive logins.

If there is any unexpected behavior, adjust the mailbox's settings in the Microsoft 365 admin center to block sign-in for the shared mailbox account.

Compatibility

Microsoft Entra ID

PreviousService Account Successful Sign In NextSign-in from Recently Created IDP

Last updated 1 month ago