LoFP / legitimate users may access a large number of mailbox items in a short period, especially in environments with high email volume or during data migrations. if this is expected behavior, consider adjusting the rule or adding exceptions for specific users or groups.

Techniques

• T1114

Sample rules

Excessive Microsoft 365 Mailbox Items Accessed

• source: elastic
• technicques:
  • T1114

Description

Identifies an excessive number of Microsoft 365 mailbox items accessed by a user either via aggregated counts or throttling. Microsoft audits mailbox access via the MailItemsAccessed event, which is triggered when a user accesses mailbox items. If more than 1000 mailbox items are accessed within a 24-hour period, it is then throttled. Excessive mailbox access may indicate an adversary attempting to exfiltrate sensitive information or perform reconnaissance on a target’s mailbox. This rule detects both the throttled and unthrottled events with a high threshold.

Detection logic

event.dataset: "o365.audit" and
    event.provider: "Exchange" and
    event.action: "MailItemsAccessed" and
    event.code: "ExchangeItemAggregated" and
    (
        (
            o365.audit.OperationProperties.Name: "IsThrottled" and
            o365.audit.OperationProperties.Value: "True"
        ) or o365.audit.OperationCount >= 100
    )