LoFP / there are legitimate scenarios in wich an application registrations requires mailbox read access. filter as needed.

Techniques

• T1098
• T1098.003
• T1114
• T1114.002

Sample rules

O365 Mailbox Read Access Granted to Application

• source: splunk
• technicques:
  • T1114.002
  • T1114
  • T1098
  • T1098.003

Description

The following analytic identifies instances where the Mail.Read Graph API permissions are granted to an application registration within an Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in application permissions within the AzureActiveDirectory workload. The Mail.Read permission allows applications to access and read all emails within a user’s mailbox. Emails often contain sensitive or confidential information, and unauthorized access can lead to data breaches or leakage. Monitoring the assignment of this permission ensures that only legitimate applications have such access and that any inadvertent or malicious assignments are promptly identified. If an attacker successfully grants this permission to a malicious or compromised application, they can read all emails in the affected mailboxes. This can lead to data exfiltration, spear-phishing attacks, or further compromise based on the information gathered from the emails.

Detection logic

`o365_management_activity` Operation="Update application." 
| eval json_data=mvindex('ModifiedProperties{}.NewValue', 0) 
| eval json_data=replace(json_data, "^\[\s*", "") 
| eval json_data=replace(json_data, "\s*\]$", "") 
| spath input=json_data path=RequiredAppPermissions{}.EntitlementId output=EntitlementIds 
| eval match_found=mvfind(EntitlementIds, "810c84a8-4a9e-49e6-bf7d-12d183f40d01") 
| where isnotnull(match_found) 
| stats max(_time) as lastTime values(EntitlementIds) as EntitlementIds by Operation, user, object 
| `security_content_ctime(lastTime)` 
| `o365_mailbox_read_access_granted_to_application_filter`