Malum
@pertinaxmalum.bsky.social
Senior SOC engineer. Former intel. Interested in cloud, PowerShell, detection engineering and threat hunting. Owner of the Black Hat Labs.
Reposted by Malum
To check for existing bypass configurations, try:
Connect-ExchangeOnline
Get-MailboxAuditBypassAssociation -ResultSize Unlimited | Where-Object { $_.AuditBypassEnabled -eq $true }
To alert, try:
CloudAppEvents
| where ActionType == @"Set-MailboxAuditBypassAssociation"
Connect-ExchangeOnline
Get-MailboxAuditBypassAssociation -ResultSize Unlimited | Where-Object { $_.AuditBypassEnabled -eq $true }
To alert, try:
CloudAppEvents
| where ActionType == @"Set-MailboxAuditBypassAssociation"
April 8, 2025 at 5:24 AM
To check for existing bypass configurations, try:
Connect-ExchangeOnline
Get-MailboxAuditBypassAssociation -ResultSize Unlimited | Where-Object { $_.AuditBypassEnabled -eq $true }
To alert, try:
CloudAppEvents
| where ActionType == @"Set-MailboxAuditBypassAssociation"
Connect-ExchangeOnline
Get-MailboxAuditBypassAssociation -ResultSize Unlimited | Where-Object { $_.AuditBypassEnabled -eq $true }
To alert, try:
CloudAppEvents
| where ActionType == @"Set-MailboxAuditBypassAssociation"