|
| 1 | +# Microsoft Graph Mail Access Burst Triage Guide |
| 2 | + |
| 3 | +## Rule Overview |
| 4 | + |
| 5 | +**Title:** Microsoft Graph Mail Access Burst |
| 6 | +**Rule ID:** SENT-COLL-0004 |
| 7 | +**Severity:** Medium |
| 8 | +**Risk Score:** 70 |
| 9 | +**Tactic:** Collection |
| 10 | +**Technique:** T1114 - Email Collection |
| 11 | +**Platform:** Microsoft Sentinel |
| 12 | +**Data Source:** CloudAppEvents |
| 13 | +**Lifecycle:** Experimental |
| 14 | + |
| 15 | +## Purpose |
| 16 | + |
| 17 | +This detection identifies bursts of Microsoft Graph mail search or mail access activity that may indicate post-compromise mailbox collection or reconnaissance. |
| 18 | + |
| 19 | +This matters because attackers with cloud access may use Microsoft Graph to: |
| 20 | + |
| 21 | +- Search mailbox contents |
| 22 | +- Read emails at scale |
| 23 | +- Collect sensitive communications |
| 24 | +- Enumerate high-value targets |
| 25 | +- Prepare for theft, extortion, or further compromise |
| 26 | + |
| 27 | +## Detection Logic Summary |
| 28 | + |
| 29 | +The rule reviews `CloudAppEvents` where: |
| 30 | + |
| 31 | +- `Application == "Microsoft Graph"` |
| 32 | +- `ActionType` includes: |
| 33 | + - `SearchQueryPerformed` |
| 34 | + - `MailItemsAccessed` |
| 35 | + - `MessageBind` |
| 36 | + |
| 37 | +It summarizes activity by: |
| 38 | + |
| 39 | +- 30-minute window |
| 40 | +- user |
| 41 | +- application |
| 42 | + |
| 43 | +The rule alerts when the action count reaches 20 or more within the window. |
| 44 | + |
| 45 | +## Likely Analyst Goal |
| 46 | + |
| 47 | +Determine whether the burst of Graph mail access was: |
| 48 | + |
| 49 | +- Approved admin, migration, journaling, or eDiscovery activity |
| 50 | +- Legitimate application integration behavior |
| 51 | +- Suspicious mailbox reconnaissance or collection after identity compromise |
| 52 | + |
| 53 | +## Initial Triage Questions |
| 54 | + |
| 55 | +1. Which user or application performed the mail access? |
| 56 | +2. Is this volume of Graph mail activity normal? |
| 57 | +3. Was the activity tied to a known tenant application or integration? |
| 58 | +4. Were there recent risky sign-ins, device code sign-ins, or consent events? |
| 59 | +5. Did the activity target high-value mailboxes or lead to forwarding, export, or download behavior? |
| 60 | + |
| 61 | +--- |
| 62 | + |
| 63 | +## Investigation Steps |
| 64 | + |
| 65 | +### 1. Validate the User or Application Context |
| 66 | + |
| 67 | +Review: |
| 68 | + |
| 69 | +- User identity |
| 70 | +- Account type |
| 71 | +- Associated application |
| 72 | +- Source IP addresses |
| 73 | + |
| 74 | +Determine whether the activity came from: |
| 75 | + |
| 76 | +- A human user |
| 77 | +- A service principal |
| 78 | +- An approved integration |
| 79 | +- An unknown or suspicious application workflow |
| 80 | + |
| 81 | +**Why this matters:** |
| 82 | +Graph access by approved enterprise applications is common, but unexpected users or apps can indicate abuse. |
| 83 | + |
| 84 | +--- |
| 85 | + |
| 86 | +### 2. Review the Volume and Timing |
| 87 | + |
| 88 | +Assess: |
| 89 | + |
| 90 | +- Number of actions |
| 91 | +- Time window |
| 92 | +- Types of actions observed |
| 93 | +- Whether the burst is isolated or recurring |
| 94 | + |
| 95 | +Determine whether the pattern suggests: |
| 96 | + |
| 97 | +- Routine application polling |
| 98 | +- Large-scale mail review |
| 99 | +- Sudden collection after sign-in |
| 100 | +- Unusual mailbox targeting |
| 101 | + |
| 102 | +**Why this matters:** |
| 103 | +A concentrated burst of mail access can indicate targeted collection or reconnaissance. |
| 104 | + |
| 105 | +--- |
| 106 | + |
| 107 | +### 3. Review Authentication and Identity Signals |
| 108 | + |
| 109 | +Check for nearby: |
| 110 | + |
| 111 | +- Device code sign-ins |
| 112 | +- Risky sign-ins |
| 113 | +- Unfamiliar IP addresses |
| 114 | +- Impossible travel |
| 115 | +- MFA changes |
| 116 | +- OAuth abuse indicators |
| 117 | +- Consent grants |
| 118 | + |
| 119 | +**Why this matters:** |
| 120 | +Mailbox collection often follows identity compromise or OAuth abuse. |
| 121 | + |
| 122 | +--- |
| 123 | + |
| 124 | +### 4. Determine Whether the Activity Is Approved |
| 125 | + |
| 126 | +Validate whether the activity aligns to: |
| 127 | + |
| 128 | +- Migration tools |
| 129 | +- eDiscovery workflows |
| 130 | +- Journaling solutions |
| 131 | +- Mail security products |
| 132 | +- Approved enterprise applications |
| 133 | +- Known automation |
| 134 | + |
| 135 | +**Why this matters:** |
| 136 | +Some applications legitimately access mailbox data at scale. |
| 137 | + |
| 138 | +--- |
| 139 | + |
| 140 | +### 5. Check for High-Value or Targeted Mailbox Access |
| 141 | + |
| 142 | +Determine whether the activity involved: |
| 143 | + |
| 144 | +- Executives |
| 145 | +- Finance |
| 146 | +- HR |
| 147 | +- Legal |
| 148 | +- Admins |
| 149 | +- Sensitive shared mailboxes |
| 150 | + |
| 151 | +Also assess whether the user accessed: |
| 152 | + |
| 153 | +- Their own mailbox only |
| 154 | +- Multiple mailboxes |
| 155 | +- Unexpected high-value targets |
| 156 | + |
| 157 | +**Why this matters:** |
| 158 | +Targeting sensitive mailboxes can indicate focused intelligence gathering. |
| 159 | + |
| 160 | +--- |
| 161 | + |
| 162 | +### 6. Review for Follow-On Collection or Exfiltration |
| 163 | + |
| 164 | +Look for nearby indicators such as: |
| 165 | + |
| 166 | +- Mail export |
| 167 | +- Forwarding rule creation |
| 168 | +- Inbox rule changes |
| 169 | +- Download behavior |
| 170 | +- Additional Graph enumeration |
| 171 | +- SharePoint or OneDrive access bursts |
| 172 | + |
| 173 | +**Why this matters:** |
| 174 | +Mail access becomes more serious when followed by export, forwarding, or broader cloud collection. |
| 175 | + |
| 176 | +--- |
| 177 | + |
| 178 | +## Benign Explanations |
| 179 | + |
| 180 | +Common legitimate scenarios include: |
| 181 | + |
| 182 | +1. Migration tools |
| 183 | +2. eDiscovery, journaling, or approved admin search workflows |
| 184 | +3. Application integrations that legitimately access mail at scale |
| 185 | + |
| 186 | +--- |
| 187 | + |
| 188 | +## Suspicious Indicators |
| 189 | + |
| 190 | +Escalate concern when you observe: |
| 191 | + |
| 192 | +- Graph mail access by an unusual user or app |
| 193 | +- Device code or risky sign-ins nearby |
| 194 | +- New or suspicious consent grants |
| 195 | +- Access from unfamiliar IP addresses |
| 196 | +- Multiple sensitive mailboxes accessed |
| 197 | +- Follow-on export, forwarding, or download activity |
| 198 | + |
| 199 | +--- |
| 200 | + |
| 201 | +## Triage Decision |
| 202 | + |
| 203 | +### Close as Benign / False Positive |
| 204 | + |
| 205 | +Close as benign when: |
| 206 | + |
| 207 | +- The user or application is approved |
| 208 | +- Activity matches known admin or business workflows |
| 209 | +- No suspicious sign-in or follow-on behavior is observed |
| 210 | + |
| 211 | +### Escalate as Suspicious |
| 212 | + |
| 213 | +Escalate when: |
| 214 | + |
| 215 | +- The access burst is unusual for the user or app |
| 216 | +- Identity anomalies are present |
| 217 | +- High-value mailboxes were touched |
| 218 | +- Follow-on collection behavior is suspected |
| 219 | + |
| 220 | +### Escalate as Likely Malicious |
| 221 | + |
| 222 | +Escalate as likely malicious when: |
| 223 | + |
| 224 | +- Evidence supports OAuth abuse or compromised credentials |
| 225 | +- Sensitive mailbox access is unexplained |
| 226 | +- Export, forwarding, or additional collection is confirmed |
| 227 | + |
| 228 | +--- |
| 229 | + |
| 230 | +## Response Actions |
| 231 | + |
| 232 | +Depending on findings, consider: |
| 233 | + |
| 234 | +- Disabling or restricting the affected account or application |
| 235 | +- Revoking tokens or OAuth grants |
| 236 | +- Reviewing mailbox audit logs |
| 237 | +- Investigating related cloud collection activity |
| 238 | +- Escalating to incident response for suspected mailbox compromise |
| 239 | + |
| 240 | +--- |
| 241 | + |
| 242 | +## Example Analyst Notes Template |
| 243 | + |
| 244 | +### Analyst Summary |
| 245 | + |
| 246 | +Alert fired for a burst of Microsoft Graph mail access activity, potentially indicating mailbox reconnaissance or collection. |
| 247 | + |
| 248 | +### Key Findings |
| 249 | + |
| 250 | +- **Affected user or application:** |
| 251 | +- **Source IPs:** |
| 252 | +- **Action volume:** |
| 253 | +- **Action types:** |
| 254 | +- **Expected business purpose:** |
| 255 | +- **Risky sign-in or consent activity:** |
| 256 | +- **High-value mailbox access:** |
| 257 | +- **Follow-on export or forwarding behavior:** |
| 258 | +- **Final assessment:** |
| 259 | + |
| 260 | +### Recommended Disposition |
| 261 | + |
| 262 | +- Benign / False Positive |
| 263 | +- Suspicious - Needs Deeper Investigation |
| 264 | +- Confirmed Malicious |
0 commit comments