AN0803: Analytic 0803
Disabling mailbox or tenant-level audit logging, often using Set-MailboxAuditBypassAssociation or downgrading license tiers. Defender view: sudden absence of mailbox activity logging for monitored users.
Analyst context for executives and security teams
This analytic is about detecting when Office Suite mailbox or tenant audit logging is disabled or weakened. For leaders, the business issue is not just the setting change itself; it is the loss of evidence needed to investigate mailbox access, user activity, and potential data exposure. If audit logging disappears for monitored users, incident responders may lose the timeline they need for containment, legal review, compliance evidence, and executive decision-making.
Executive priority
Treat this as an evidence-preservation and incident-readiness priority. Security leaders should ask whether mailbox audit logging is mandatory for high-risk users, whether license or configuration changes can reduce logging, and whether the SOC is alerted when expected mailbox activity telemetry suddenly stops. This matters for compliance readiness and business continuity because a logging gap can turn a containable email or identity incident into an investigation with limited proof.
Technical view
The supplied ATT&CK object identifies an Office Suite detection analytic focused on disabling mailbox or tenant-level audit logging, including use of Set-MailboxAuditBypassAssociation or downgrading license tiers. SOC and detection teams should validate whether they can observe audit-logging configuration changes and whether they monitor for a sudden absence of mailbox activity logs for users expected to generate telemetry. Because no official detection logic is provided, teams need to define local baselines for monitored users, expected mailbox activity, and authorized administrative or licensing changes.
Likely telemetry
- Office Suite administrative audit logs showing mailbox audit configuration changes
- Mailbox audit status or audit-bypass association records
- Tenant-level audit logging configuration state
- License tier or subscription change records that could affect logging availability
- Expected mailbox activity logs for monitored users
Detection direction
- Alert on mailbox or tenant audit logging being disabled, bypassed, or otherwise reduced for monitored users.
- Correlate logging changes with administrator identity, change ticket, timing, affected user population, and license changes to reduce false positives.
- Monitor for sudden absence of mailbox activity logging where activity is normally expected, especially for users under heightened monitoring.
- Validate blind spots caused by license downgrades, retention limits, incomplete administrative logging, or telemetry pipelines that do not report configuration changes.
- Because no ATT&CK relationship context or formal detection logic is supplied, tune thresholds and baselines using local Office Suite activity patterns and approved administrative workflows.
Mitigation priorities
- Make mailbox and tenant audit logging requirements explicit for monitored and high-risk users.
- Restrict and review permissions that allow audit logging, bypass associations, or license tiers to be changed.
- Require change approval and documented justification for audit logging or licensing changes that reduce visibility.
- Regularly verify that expected mailbox activity telemetry is still being collected and retained.
- Include audit-log availability checks in incident response readiness, compliance evidence reviews, and managed detection onboarding.
Analyst notes and limits
The key decision value is whether the organization can prove that mailbox audit telemetry remained available when it mattered. This analytic is most useful as a control-integrity monitor: it checks whether the evidence source needed for later email, identity, or insider-risk investigations has been disabled or degraded.
The ATT&CK object provides a brief description, Office Suite platform scope, and no official detection logic, tactics, labels, aliases, or relationship context. This take therefore avoids claims about specific adversaries, active exploitation, impact, or guaranteed detection. Local configuration, licensing, retention, and logging architecture are required to determine actual coverage.
Analytic 0803
Disabling mailbox or tenant-level audit logging, often using Set-MailboxAuditBypassAssociation or downgrading license tiers. Defender view: sudden absence of mailbox activity logging for monitored users.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c0bf2566d55a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0803Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.