Techniques
Sample rules
O365 Mailbox Read Access Granted to Application
- source: splunk
- technicques:
- T1114.002
- T1114
- T1098
- T1098.003
Description
The following analytic identifies instances where the Mail.Read Graph API permissions are granted to an application registration within an Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in application permissions within the AzureActiveDirectory workload. This activity is significant because the Mail.Read permission allows applications to access and read all emails within a user’s mailbox, which often contain sensitive or confidential information. If confirmed malicious, this could lead to data exfiltration, spear-phishing attacks, or further compromise based on the information gathered from the emails.
Detection logic
`o365_management_activity` Operation="Update application."
| eval json_data=mvindex('ModifiedProperties{}.NewValue', 0)
| eval json_data=replace(json_data, "^\[\s*", "")
| eval json_data=replace(json_data, "\s*\]$", "")
| spath input=json_data path=RequiredAppPermissions{}.EntitlementId output=EntitlementIds
| eval match_found=mvfind(EntitlementIds, "810c84a8-4a9e-49e6-bf7d-12d183f40d01")
| where isnotnull(match_found)
| stats max(_time) as lastTime values(EntitlementIds) as EntitlementIds by Operation, user, object
| `security_content_ctime(lastTime)`
| `o365_mailbox_read_access_granted_to_application_filter`