|
| 1 | +# Graph Mail Access Burst Triage Guide |
| 2 | + |
| 3 | +## Rule Overview |
| 4 | + |
| 5 | +**Title:** Microsoft Graph Mail Access Burst |
| 6 | +**Rule ID:** SENT-COLL-0004 |
| 7 | +**Status:** Experimental |
| 8 | +**Severity:** Medium |
| 9 | +**Risk Score:** 70 |
| 10 | +**Tactic:** Collection |
| 11 | +**Technique:** T1114 - Email Collection |
| 12 | +**Platform:** Microsoft Sentinel |
| 13 | +**Data Source:** CloudAppEvents |
| 14 | + |
| 15 | +## Purpose |
| 16 | + |
| 17 | +This detection identifies bursts of Microsoft Graph mail search or mail access activity that may indicate post-compromise mailbox collection or reconnaissance. |
| 18 | + |
| 19 | +This matters because attackers with cloud access may use Microsoft Graph to: |
| 20 | + |
| 21 | +- Search mailbox contents |
| 22 | +- Read emails at scale |
| 23 | +- Collect sensitive communications |
| 24 | +- Enumerate high-value targets |
| 25 | +- Prepare for theft, extortion, or further compromise |
| 26 | + |
| 27 | +## Detection Logic Summary |
| 28 | + |
| 29 | +The rule reviews `CloudAppEvents` where: |
| 30 | + |
| 31 | +- `Application == "Microsoft Graph"` |
| 32 | +- `ActionType` includes: |
| 33 | + - `SearchQueryPerformed` |
| 34 | + - `MailItemsAccessed` |
| 35 | + - `MessageBind` |
| 36 | + |
| 37 | +It summarizes activity by: |
| 38 | + |
| 39 | +- 30-minute time window |
| 40 | +- user |
| 41 | +- application |
| 42 | + |
| 43 | +The rule alerts when: |
| 44 | + |
| 45 | +- `ActionCount >= 20` |
| 46 | + |
| 47 | +It also captures: |
| 48 | + |
| 49 | +- action types observed |
| 50 | +- source IPs associated with the activity |
| 51 | + |
| 52 | +## Likely Analyst Goal |
| 53 | + |
| 54 | +Determine whether the Graph mail access burst was: |
| 55 | + |
| 56 | +- Approved admin, migration, journaling, or eDiscovery activity |
| 57 | +- Legitimate application integration behavior |
| 58 | +- Suspicious mailbox reconnaissance or collection after identity compromise |
| 59 | + |
| 60 | +## Initial Triage Questions |
| 61 | + |
| 62 | +1. Which user or application performed the mail access? |
| 63 | +2. Is this level of Graph mail activity normal for that identity? |
| 64 | +3. Was the activity tied to a known tenant application or integration? |
| 65 | +4. Were there nearby risky sign-ins, device code sign-ins, consent grants, or OAuth abuse indicators? |
| 66 | +5. Did the activity target high-value mailboxes or lead to export, forwarding, or download behavior? |
| 67 | + |
| 68 | +--- |
| 69 | + |
| 70 | +## Investigation Steps |
| 71 | + |
| 72 | +### 1. Validate the User or Application Context |
| 73 | + |
| 74 | +Review: |
| 75 | + |
| 76 | +- user identity |
| 77 | +- account type |
| 78 | +- associated application |
| 79 | +- source IP addresses |
| 80 | + |
| 81 | +Determine whether the activity came from: |
| 82 | + |
| 83 | +- a human user |
| 84 | +- a service principal |
| 85 | +- an approved integration |
| 86 | +- an unknown or suspicious application flow |
| 87 | + |
| 88 | +**Why this matters:** |
| 89 | +Graph access by approved enterprise applications can be normal, but unexpected users or apps can indicate abuse. |
| 90 | + |
| 91 | +--- |
| 92 | + |
| 93 | +### 2. Review the Volume and Timing of Activity |
| 94 | + |
| 95 | +Assess: |
| 96 | + |
| 97 | +- total number of actions |
| 98 | +- action types observed |
| 99 | +- time window of activity |
| 100 | +- whether the burst is isolated or recurring |
| 101 | + |
| 102 | +Determine whether the pattern suggests: |
| 103 | + |
| 104 | +- routine application polling |
| 105 | +- large-scale mailbox review |
| 106 | +- sudden collection after sign-in |
| 107 | +- targeted mailbox reconnaissance |
| 108 | + |
| 109 | +**Why this matters:** |
| 110 | +A concentrated burst of mail access can indicate focused collection or reconnaissance. |
| 111 | + |
| 112 | +--- |
| 113 | + |
| 114 | +### 3. Review Authentication and Identity Signals |
| 115 | + |
| 116 | +Check for nearby: |
| 117 | + |
| 118 | +- device code sign-ins |
| 119 | +- risky sign-ins |
| 120 | +- unfamiliar IP addresses |
| 121 | +- impossible travel |
| 122 | +- MFA changes |
| 123 | +- consent grants |
| 124 | +- OAuth abuse indicators |
| 125 | + |
| 126 | +**Why this matters:** |
| 127 | +Mailbox collection often follows identity compromise or unauthorized OAuth access. |
| 128 | + |
| 129 | +--- |
| 130 | + |
| 131 | +### 4. Determine Whether the Activity Is Approved |
| 132 | + |
| 133 | +Validate whether the activity aligns to: |
| 134 | + |
| 135 | +- migration tools |
| 136 | +- eDiscovery workflows |
| 137 | +- journaling solutions |
| 138 | +- mail security products |
| 139 | +- approved enterprise applications |
| 140 | +- known automation |
| 141 | + |
| 142 | +**Why this matters:** |
| 143 | +Some applications legitimately access mailbox data at scale and can resemble suspicious behavior. |
| 144 | + |
| 145 | +--- |
| 146 | + |
| 147 | +### 5. Check for High-Value or Targeted Mailbox Access |
| 148 | + |
| 149 | +Determine whether the activity involved: |
| 150 | + |
| 151 | +- executives |
| 152 | +- finance |
| 153 | +- HR |
| 154 | +- legal |
| 155 | +- admins |
| 156 | +- sensitive shared mailboxes |
| 157 | + |
| 158 | +Also assess whether the identity accessed: |
| 159 | + |
| 160 | +- only its own mailbox |
| 161 | +- multiple mailboxes |
| 162 | +- unexpected high-value targets |
| 163 | + |
| 164 | +**Why this matters:** |
| 165 | +Targeting sensitive mailboxes can indicate focused intelligence gathering or theft. |
| 166 | + |
| 167 | +--- |
| 168 | + |
| 169 | +### 6. Review for Follow-On Collection or Exfiltration |
| 170 | + |
| 171 | +Look for nearby indicators such as: |
| 172 | + |
| 173 | +- mail export |
| 174 | +- forwarding rule creation |
| 175 | +- inbox rule changes |
| 176 | +- download behavior |
| 177 | +- additional Graph enumeration |
| 178 | +- SharePoint or OneDrive access bursts |
| 179 | + |
| 180 | +**Why this matters:** |
| 181 | +Mail access becomes much more serious when followed by export, forwarding, or broader cloud collection activity. |
| 182 | + |
| 183 | +--- |
| 184 | + |
| 185 | +## Benign Explanations |
| 186 | + |
| 187 | +Common legitimate scenarios include: |
| 188 | + |
| 189 | +1. Migration tools |
| 190 | +2. eDiscovery, journaling, or approved admin search workflows |
| 191 | +3. Application integrations that legitimately access mail at scale |
| 192 | + |
| 193 | +## Suspicious Indicators |
| 194 | + |
| 195 | +Escalate concern when you observe: |
| 196 | + |
| 197 | +- Graph mail access by an unusual user or app |
| 198 | +- device code or risky sign-ins nearby |
| 199 | +- new or suspicious consent grants |
| 200 | +- access from unfamiliar IP addresses |
| 201 | +- multiple sensitive mailboxes accessed |
| 202 | +- follow-on export, forwarding, or download behavior |
| 203 | + |
| 204 | +## Triage Decision |
| 205 | + |
| 206 | +### Close as Benign / False Positive |
| 207 | + |
| 208 | +Close as benign when: |
| 209 | + |
| 210 | +- the user or application is approved |
| 211 | +- the activity matches known admin or business workflows |
| 212 | +- no suspicious sign-in or follow-on behavior is observed |
| 213 | + |
| 214 | +### Escalate as Suspicious |
| 215 | + |
| 216 | +Escalate when: |
| 217 | + |
| 218 | +- the access burst is unusual for the identity or app |
| 219 | +- identity anomalies are present |
| 220 | +- high-value mailboxes were touched |
| 221 | +- follow-on collection behavior is suspected |
| 222 | + |
| 223 | +### Escalate as Likely Malicious |
| 224 | + |
| 225 | +Escalate as likely malicious when: |
| 226 | + |
| 227 | +- evidence supports OAuth abuse or compromised credentials |
| 228 | +- sensitive mailbox access is unexplained |
| 229 | +- export, forwarding, or additional collection is confirmed |
| 230 | + |
| 231 | +## Response Actions |
| 232 | + |
| 233 | +Depending on findings, consider: |
| 234 | + |
| 235 | +- restricting or disabling the affected account or application |
| 236 | +- revoking tokens or OAuth grants |
| 237 | +- reviewing mailbox audit logs |
| 238 | +- investigating related cloud collection activity |
| 239 | +- escalating to incident response for suspected mailbox compromise |
| 240 | + |
| 241 | +## Example Analyst Notes Template |
| 242 | + |
| 243 | +### Analyst Summary |
| 244 | + |
| 245 | +Alert fired for a burst of Microsoft Graph mail access activity, potentially indicating mailbox reconnaissance or collection. |
| 246 | + |
| 247 | +### Key Findings |
| 248 | + |
| 249 | +- **Affected user or application:** |
| 250 | +- **Source IPs:** |
| 251 | +- **Action volume:** |
| 252 | +- **Action types:** |
| 253 | +- **Expected business purpose:** |
| 254 | +- **Risky sign-in or consent activity:** |
| 255 | +- **High-value mailbox access:** |
| 256 | +- **Follow-on export or forwarding behavior:** |
| 257 | +- **Final assessment:** |
| 258 | + |
| 259 | +### Recommended Disposition |
| 260 | + |
| 261 | +- Benign / False Positive |
| 262 | +- Suspicious - Needs Deeper Investigation |
| 263 | +- Confirmed Malicious |
| 264 | + |
| 265 | +## Validation Guidance |
| 266 | + |
| 267 | +Tune thresholds against known mail clients, admin workflows, and approved tenant applications so legitimate Graph-heavy integrations do not overwhelm the rule. |
0 commit comments