Shared and delegate mailbox scheduling for events

🚨 The Signal: Microsoft 365 now allows delegates and shared mailboxes to schedule events, sending invitations from the shared identity. This improves trust and consistency but expands the attack surface for impersonation if permissions are not tightly controlled.

The Impact

Admins and security teams are affected by the increased risk of impersonation and unauthorized access if delegate permissions are not reviewed and restricted.

• Admins: Must review and tighten delegate permissions to prevent unauthorized event scheduling.
• Security Teams: Increased risk of phishing and impersonation attacks leveraging trusted mailbox identities.
• End Users: May receive legitimate-looking but malicious invitations if delegate accounts are compromised.
• Delegates: Enhanced capabilities require heightened awareness of security best practices for their accounts.

The Action

1. Review all existing delegate and shared mailbox permissions in Exchange Online.
2. Implement the principle of least privilege for all delegate access to mailboxes.
3. Audit delegate access regularly for any unauthorized or excessive permissions.
4. Educate executive assistants and delegates on phishing risks and secure handling of their accounts.
5. Configure Conditional Access policies to enforce MFA for delegate accounts accessing mailboxes.

Domain: Exchange · Impact: high · Workload: Exchange Online · Essential Eight: Restrict Administrative Privileges, Multi-Factor Authentication · ISM: ISM-0109, ISM-0123, ISM-0140, ISM-0445, ISM-0974, ISM-1173, ISM-1175, ISM-1228, ISM-1380, ISM-1401, ISM-1504, ISM-1505, ISM-1507, ISM-1508, ISM-1509, ISM-1647, ISM-1648, ISM-1650, ISM-1679, ISM-1680, ISM-1681, ISM-1682, ISM-1683, ISM-1686, ISM-1688, ISM-1689, ISM-1815, ISM-1819, ISM-1872, ISM-1873, ISM-1874, ISM-1883, ISM-1892, ISM-1893, ISM-1894, ISM-1897, ISM-1898, ISM-1906, ISM-1907