Back to GSO Recommendations

Mailbox Delegation Risk: Unauthorised Access & Impersonation Exposure

Why this risk matters

Mailbox delegation permissions — FullAccess, SendAs, and SendOnBehalf — allow one user or account to access, read, and send email on behalf of another. These permissions are legitimate and widely used for executive assistants, shared inboxes, finance teams, and helpdesk operations. But when they are misconfigured, undocumented, or accumulated over time, they represent a significant and often overlooked access risk.

Overe flags mailbox delegation configurations that appear broad, undocumented, or unexpected — particularly on high-value mailboxes like executive accounts, finance inboxes, shared service accounts, and HR mailboxes. A FullAccess delegate can read, move, delete, and manage everything in a mailbox without the owner's involvement. SendAs delegates can send email that appears to come from the mailbox owner with no visible indication for recipients.

Delegation permissions are rarely audited after they are set, and they survive password resets, MFA changes, and most account remediation steps. They are frequently missed during incident response.

What happens if this is abused

  • Delegate with FullAccess reads confidential communications in an executive or finance mailbox without the owner's knowledge
  • SendAs permission used to send phishing emails, payment redirection requests, or internal impersonations that appear to come from a trusted account
  • Attacker who compromises a delegate account inherits access to every mailbox the delegate has FullAccess to
  • Delegation set during a helpdesk escalation and never removed, leaving access open long after the original need ended
  • Former employee's account retains access to a shared mailbox they were delegated to, because offboarding did not include a delegation review
  • Broad delegation on a shared mailbox accessed by too many people makes it impossible to attribute suspicious activity

When this is expected or acceptable

Mailbox delegation is a routine and legitimate feature. Executive assistants with FullAccess to a manager's mailbox, a helpdesk team with SendOnBehalf on a support alias, or a finance team sharing access to an accounts payable inbox are all expected scenarios.

Delegation is acceptable when it is documented, tied to a named business purpose, assigned to the minimum set of users required, and reviewed when the relationship or role changes. Delegation that has not been reviewed since it was originally set is a risk regardless of its original intent.

Checks to perform before taking action

Before modifying mailbox delegation:

  • Identify all accounts with FullAccess, SendAs, or SendOnBehalf delegations on high-value mailboxes
  • Confirm whether each delegation has a named business owner and a documented purpose
  • Check when the delegation was created and whether it is still operationally required
  • Review whether any delegated accounts belong to former employees, contractors, or accounts with other risk signals
  • For shared mailboxes, confirm who has access and whether that list is still accurate
  • Check whether the delegated accounts themselves have strong MFA and are not dormant or risky
  • Review Overe for any alerts tied to accounts that also hold delegation permissions on sensitive mailboxes

Safe remediation steps

  1. Use Overe to review delegation assignments across high-value mailboxes — executive, finance, HR, and shared service inboxes first
  2. For delegations with no documented purpose or named owner, investigate before removing
  3. For former employees or offboarded accounts with active delegation, remove immediately
  4. For valid delegations, confirm the scope is appropriate — FullAccess where only SendOnBehalf is needed is over-privileged
  5. For shared mailboxes with broad access, review the full access list and reduce to only those with an active need
  6. Document all active delegations with a named owner and a review date
  7. Establish offboarding checks that include review and removal of delegation permissions for departing employees

Where direct remediation is required, Overe provides links to the appropriate Microsoft admin controls to complete the action safely.

Supporting documentation

Microsoft: Manage mailbox permissions in Exchange Online - https://learn.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-permissions-for-recipients

Microsoft: Give mailbox permissions to another user - https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/give-mailbox-permissions-to-another-user

Microsoft: Shared mailboxes in Exchange Online - https://learn.microsoft.com/en-us/exchange/collaboration-exo/shared-mailboxes

Related risks and follow-on checks

  • Risky inbox forwarding rules
  • Suspicious inbox rules
  • Dormant users
  • External email forwarding rules
TBD CTA