Detects adversaries accessing remote mail systems (e.g., Exchange Online, O365) using stolen credentials or OAuth tokens, followed by scripted access to mailbox contents via PowerShell, AADInternals, or unattended API queries. Detection focuses on abnormal logon sessions, user agents, IP locations, and scripted or tool-based email data access.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | azure:signinlogs | Abnormal sign-in from scripting tools (PowerShell, AADInternals) |
| Application Log Content (DC0038) | m365:purview | MailItemsAccessed & Exchange Audit |
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| UserAgentPattern | Filters user agents like 'PowerShell', 'AADInternals', 'python-requests' which can vary depending on script/tool. |
| TimeWindow | Defines the temporal correlation window between login, command execution, and outbound email access. |
| KnownIPLocations | Defines baseline geo/IP address ranges to suppress known corporate access. |
| PrivilegedUserList | Defines the accounts considered privileged (admin, execs) and worthy of tighter thresholds. |
Monitors programmatic access to user mailboxes in cloud-based email systems (e.g., O365, Exchange Online) using APIs or tokens. Focuses on OAuth misuse, suspicious MailItemsAccessed patterns, scripted keyword searches, and connections from untrusted agents or locations.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | m365:purview | MailItemsAccessed, Search-Mailbox events |
| Logon Session Creation (DC0067) | azure:signinlogs | Suspicious login to cloud mailbox system |
| Command Execution (DC0064) | m365:unified | Search-Mailbox, Get-MessageTrace, eDiscovery requests |
| Field | Description |
|---|---|
| MailAccessVolumeThreshold | Number of emails accessed within time window to flag anomaly. |
| OAuthClientIDAllowList | Allows tuning based on known app registrations. |
| KeywordSearchFrequency | Flag high volumes of message searches using suspicious patterns. |
| LoginGeolocationVariance | Trigger when IP geolocation varies significantly from user's historical profile. |