Description:

When a suspicious inbox rule was created in a shared mailbox, the detection was correct but the remediation targeted the shared mailbox account.

Issue:

Shared mailboxes have login disabled by default; they are accessed via delegate accounts.

The compromised delegate account was not identified or contained.

Impact:

This leaves the attacker’s access intact, as the delegate can continue creating rules or exfiltrating data.

Recommendation:

Update detection/remediation to correlate session identifiers across mailbox events and target the actual compromised delegate account for containment.