Techniques
Sample rules
O365 Email Access By Security Administrator
- source: splunk
- technicques:
- T1114.002
- T1567
Description
The following analytic identifies when a user with sufficient access to O365 Security & Compliance portal uses premium investigation features (Threat Explorer) to directly view email. Adversaries may exploit privileged access with this premium feature to enumerate or exfiltrate sensitive data.
Detection logic
`o365_management_activity` Workload=SecurityComplianceCenter Operation=AdminMailAccess
| rename InternetMessageId as signature_id, UserId as src_user
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by signature dest user src vendor_account vendor_product src_user signature_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_email_access_by_security_administrator_filter`