Back to GSO Recommendations

Mailbox Audit Bypass

Why this risk matters

Exchange Online logs mailbox access events — who read what emails, which items were deleted, when rules were created — through mailbox auditing. By default, mailbox auditing is enabled for most accounts in Microsoft 365 and records a broad set of actions performed by admins, delegates, and the mailbox owner.

When mailbox audit bypass is enabled for an account, all auditing for that mailbox is suppressed. Actions taken in or on that mailbox — reading emails, deleting items, creating rules, exporting content — are no longer recorded. This is a legitimate feature designed for service accounts and automated processes where the volume of audit events would be unmanageable. But when it is applied to a regular user account or an admin, it creates a forensic blind spot that an attacker can exploit to operate invisibly.

Enabling audit bypass for an account under investigation, or for an account an attacker controls, is a deliberate anti-forensics technique that significantly hampers incident response.

What happens if this is abused

With audit bypass enabled, all mailbox-level activity for the affected account becomes invisible in audit logs. An attacker can read emails, export content via eDiscovery, create or delete inbox rules, and access any shared mailboxes the account has permission on — all without leaving a trace in the audit trail.

This is particularly damaging in the context of an active incident investigation. If an attacker has enabled audit bypass before or during an attack, the forensic record of what they accessed and when becomes incomplete or entirely absent, making it very difficult to determine the full scope of the breach.

Audit bypass is also used proactively in insider threat scenarios, where a malicious employee enables it before taking actions they want to conceal.

When this is expected or acceptable

Mailbox audit bypass has legitimate use cases, but they are narrow and well-defined:

  • Service accounts used by automated processes (e.g., email archiving tools, legal hold software, compliance export tools) where the volume of audit events would flood the audit log with low-value data
  • Migration accounts used during large-scale mailbox migrations where every move operation would otherwise generate thousands of audit entries
  • Specific integration accounts where the vendor has documented the requirement for bypass as part of their service configuration

In all cases, bypass should be applied to accounts that are service accounts, not human user accounts. If audit bypass is enabled on a named individual's account, a shared mailbox used by real people, or an admin account, it requires immediate scrutiny.

Checks to perform before taking action

  • In Exchange Online PowerShell, run Get-MailboxAuditBypassAssociation to see all accounts with bypass enabled and confirm whether each one is a legitimate service account
  • Check who enabled the bypass and when — the enabling action itself should be in the Entra ID unified audit log under Exchange admin activity
  • Verify whether the account in question is a genuine service account with documented purpose, or a named user or admin account
  • If this was enabled recently, check whether it coincides with any other suspicious activity (e.g., active incident, unusual sign-ins, rule creation)
  • Review what mailbox activity occurred in the affected account after bypass was enabled — while mailbox events are suppressed, other log sources (Entra ID sign-in logs, SharePoint audit, Defender) may still capture related activity

Safe remediation steps

  1. If audit bypass is enabled on a user account without a clear service account justification, disable it immediately via Exchange Online PowerShell: Set-MailboxAuditBypassAssociation -Identity <user> -AuditByPassEnabled $false
  2. Investigate who enabled the bypass and when — if an admin account was used to enable it without a corresponding change request, treat that admin account as potentially compromised
  3. Even with bypass disabled going forward, the historical period during which bypass was active has no audit trail for mailbox events — document this gap explicitly in any incident report
  4. Use alternative log sources to reconstruct activity during the bypass period: Entra ID sign-in logs, Defender for Office 365 email events, SharePoint audit logs, and any DLP alerts
  5. Review the full list of accounts with audit bypass enabled and revoke it for any account that cannot be justified as a low-volume service account
  6. Consider alerting on any future use of the Set-MailboxAuditBypassAssociation command via custom detection rules in Defender or a SIEM

Overe Auto-Response: The Mailbox Audit Bypass Enabled alert can be configured in Overe to trigger automatic session revocation or account block for the affected account when this activity is detected. Review your Auto-Response settings under Org Config > Auto-Response — given this is an anti-forensics technique, automated containment is strongly recommended.

Supporting documentation

Microsoft: Mailbox auditing in Exchange Online

Microsoft: Set-MailboxAuditBypassAssociation PowerShell reference

Microsoft: Search the audit log in the compliance portal

Related risks and follow-on checks

After investigating a mailbox audit bypass alert, review these related risk areas:

  • PST Export & eDiscovery Abuse — audit bypass is commonly paired with eDiscovery exports to reduce forensic visibility of the export activity
  • Suspicious Inbox Rules — if rules were created during the bypass period, they may not appear in the mailbox audit log; check the rules directly
  • Risky Inbox Forwarding Rules — similarly, forwarding rule creation during bypass would not be captured in mailbox audit
  • Session Hijack via Unusual IP Change — if the account was compromised via session hijack, audit bypass may have been one of the first actions taken
  • Mailbox Delegation Risk — check whether the affected account's delegation settings were modified during the bypass period
TBD CTA