legitamate access by security administators for incident response measures.

t1114
T1114.002
t1567
o365 tenant
splunk

Techniques

T1114
T1114.002
T1567

Sample rules

O365 Email Access By Security Administrator

source: splunk
technicques:
- T1567
- T1114
- T1114.002

Description

The following analytic identifies when a user with sufficient access to O365 Security & Compliance portal uses premium investigation features (Threat Explorer) to directly view email. Adversaries may exploit privileged access with this premium feature to enumerate or exfiltrate sensitive data.

Detection logic

`o365_management_activity` Workload=SecurityComplianceCenter Operation=AdminMailAccess 
| stats values(Workload) as category, values(MailboxId) as user, values(Operation) as signature, count, min(_time) as firstTime, max(_time) as lastTime by InternetMessageId, UserId 
| rename InternetMessageId as signature_id, UserId as src_user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `o365_email_access_by_security_administrator_filter`