Exchange Online logs mailbox access events — who read what emails, which items were deleted, when rules were created — through mailbox auditing. By default, mailbox auditing is enabled for most accounts in Microsoft 365 and records a broad set of actions performed by admins, delegates, and the mailbox owner.
When mailbox audit bypass is enabled for an account, all auditing for that mailbox is suppressed. Actions taken in or on that mailbox — reading emails, deleting items, creating rules, exporting content — are no longer recorded. This is a legitimate feature designed for service accounts and automated processes where the volume of audit events would be unmanageable. But when it is applied to a regular user account or an admin, it creates a forensic blind spot that an attacker can exploit to operate invisibly.
Enabling audit bypass for an account under investigation, or for an account an attacker controls, is a deliberate anti-forensics technique that significantly hampers incident response.
Mailbox audit bypass has legitimate use cases, but they are narrow and well-defined:
In all cases, bypass should be applied to accounts that are service accounts, not human user accounts. If audit bypass is enabled on a named individual's account, a shared mailbox used by real people, or an admin account, it requires immediate scrutiny.
Get-MailboxAuditBypassAssociation to see all accounts with bypass enabled and confirm whether each one is a legitimate service accountSet-MailboxAuditBypassAssociation -Identity <user> -AuditByPassEnabled $falseOvere Auto-Response: The Mailbox Audit Bypass Enabled alert can be configured in Overe to trigger automatic session revocation or account block for the affected account when this activity is detected. Review your Auto-Response settings under Org Config > Auto-Response — given this is an anti-forensics technique, automated containment is strongly recommended.
Overe actively monitors and remediates this risk area. The following controls can be deployed and tracked in app.overe.io:
After investigating a mailbox audit bypass alert, review these related risk areas: