Techniques
Sample rules
Excessive Microsoft 365 Mailbox Items Accessed
- source: elastic
- technicques:
- T1114
Description
Identifies an excessive number of Microsoft 365 mailbox items accessed by a user either via aggregated counts or throttling. Microsoft audits mailbox access via the MailItemsAccessed event, which is triggered when a user accesses mailbox items. If more than 1000 mailbox items are accessed within a 24-hour period, it is then throttled. Excessive mailbox access may indicate an adversary attempting to exfiltrate sensitive information or perform reconnaissance on a target’s mailbox. This rule detects both the throttled and unthrottled events with a high threshold.
Detection logic
event.dataset: "o365.audit" and
event.provider: "Exchange" and
event.action: "MailItemsAccessed" and
event.code: "ExchangeItemAggregated" and
(
(
o365.audit.OperationProperties.Name: "IsThrottled" and
o365.audit.OperationProperties.Value: "True"
) or o365.audit.OperationCount >= 100
)