Case :
UB1.C7 Email Delegate permissions
Protection :
UB1.C7.P1 – Audit Mailboxes
UB1.C7.P2 – Block/Disable permission delegation feature or require on-demand approval
Threat :
UB1.C7.T1 – Unauthorised user access to restricted or sensitive information over the delegated mailbox
UB1.C7.T2 – Non-reputadion email actions
K –KQL Queries – (SCKIPT UB1.C6) Multiple emails removed during specific period of time