Mailbox Delegation Risk: Unauthorised Access & Impersonation Exposure

Why this risk matters

Mailbox delegation permissions — FullAccess, SendAs, and SendOnBehalf — allow one user or account to access, read, and send email on behalf of another. These permissions are legitimate and widely used for executive assistants, shared inboxes, finance teams, and helpdesk operations. But when they are misconfigured, undocumented, or accumulated over time, they represent a significant and often overlooked access risk.

Overe flags mailbox delegation configurations that appear broad, undocumented, or unexpected — particularly on high-value mailboxes like executive accounts, finance inboxes, shared service accounts, and HR mailboxes. A FullAccess delegate can read, move, delete, and manage everything in a mailbox without the owner's involvement. SendAs delegates can send email that appears to come from the mailbox owner with no visible indication for recipients.

Delegation permissions are rarely audited after they are set, and they survive password resets, MFA changes, and most account remediation steps. They are frequently missed during incident response.

What happens if this is abused

  • Delegate with FullAccess reads confidential communications in an executive or finance mailbox without the owner's knowledge
  • SendAs permission used to send phishing emails, payment redirection requests, or internal impersonations that appear to come from a trusted account
  • Attacker who compromises a delegate account inherits access to every mailbox the delegate has FullAccess to
  • Delegation set during a helpdesk escalation and never removed, leaving access open long after the original need ended
  • Former employee's account retains access to a shared mailbox they were delegated to, because offboarding did not include a delegation review
  • Broad delegation on a shared mailbox accessed by too many people makes it impossible to attribute suspicious activity
  • SendAs permission used to impersonate a finance approver or executive in payment authorisation requests, appearing fully legitimate to recipients and bypassing email security controls
  • Delegation created during an incident response escalation and never formally closed out, creating permanent access that was never intended to be long-term

When this is expected or acceptable

Mailbox delegation is a routine and legitimate feature. Executive assistants with FullAccess to a manager's mailbox, a helpdesk team with SendOnBehalf on a support alias, or a finance team sharing access to an accounts payable inbox are all expected scenarios.

Delegation is acceptable when it is documented, tied to a named business purpose, assigned to the minimum set of users required, and reviewed when the relationship or role changes. Delegation that has not been reviewed since it was originally set is a risk regardless of its original intent.

Checks to perform before taking action

Before modifying mailbox delegation:

  • Identify all accounts with FullAccess, SendAs, or SendOnBehalf delegations on high-value mailboxes
  • Confirm whether each delegation has a named business owner and a documented purpose
  • Check when the delegation was created and whether it is still operationally required
  • Review whether any delegated accounts belong to former employees, contractors, or accounts with other risk signals
  • For shared mailboxes, confirm who has access and whether that list is still accurate
  • Check whether the delegated accounts themselves have strong MFA and are not dormant or risky
  • Review Overe for any alerts tied to accounts that also hold delegation permissions on sensitive mailboxes

Safe remediation steps

  1. Use Overe to review delegation assignments across high-value mailboxes — executive, finance, HR, and shared service inboxes first
  2. For delegations with no documented purpose or named owner, investigate before removing
  3. For former employees or offboarded accounts with active delegation, remove immediately
  4. For valid delegations, confirm the scope is appropriate — FullAccess where only SendOnBehalf is needed is over-privileged
  5. For shared mailboxes with broad access, review the full access list and reduce to only those with an active need
  6. Document all active delegations with a named owner and a review date
  7. Establish offboarding checks that include review and removal of delegation permissions for departing employees

Where direct remediation is required, Overe provides links to the appropriate Microsoft admin controls to complete the action safely.

Overe Auto-Response: The Mailbox Permissions Modified and Suspicious Rights Delegation alerts can be configured in Overe to trigger automatic session revocation or account block when mailbox permission changes or full rights delegations are detected unexpectedly. Review your Auto-Response settings under Org Config > Auto-Response.

How Overe Helps

Overe actively monitors and remediates this risk area. The following controls can be deployed and tracked in app.overe.io:

  • Enable Unified Log — Manages the Audit Log which records user and admin activity and is required for Overe to monitor and detect anomalous activity.
  • Require MFA authentication for administrators — Creates a Conditional Access Policy that requires users in administrative roles to use MFA for all Microsoft cloud apps.
  • Windows Device Security Audit and Event Logging — Captures detailed Windows security events to support threat detection, investigation, and compliance.

Related risks and follow-on checks

After reviewing mailbox delegation, also check these related risk areas:

  • Risky Inbox Forwarding Rules — a compromised delegate account may add forwarding rules to mailboxes it has FullAccess to; check all mailboxes with known delegation for active forwarding rules
  • Suspicious Inbox Rules — alongside forwarding, an attacker with FullAccess may add rules hiding security notifications from the mailbox owner; check both rule types on high-value mailboxes
  • External Email Forwarding Rules — if a delegated account or the mailbox owner is compromised, SMTP forwarding may also be enabled; investigate both levels of forwarding in the same review
  • Dormant Users — delegation held by former employees or accounts with no recent activity is particularly dangerous; cross-reference delegation lists against dormant user accounts
  • Mailbox Audit Bypass — check whether mailbox audit is enabled on mailboxes with delegation; if auditing is disabled, delegate activity will not be logged and post-incident investigation becomes impossible
Free Microsoft 365 assessment

Check this risk in your own tenant

This recommendation explains what should be configured. Overe shows you where the gaps actually exist.

Find risky users, devices, apps, policies and tenant settings in minutes.

No agents. No heavy setup. Clear results in minutes.