Graph Mail Permissions

# List MS Graph Mail Permissions Added ## Query Information #### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1098.002 | Account Manipulation: Additional Email Delegate Permissions| https://attack.mitre.org/techniques/T1098/002/ | #### Description The Graph API can be used to read and send mail amongst other actions. Escpecially the Mail*.All permissions are very priviliged and should be scoped to a certain mailbox only (if possible). This query can both be used to assess the current added permissions as well as to detect malicious mail permission that are added to applications. #### Risk Adversaries can use applications to read sentitive mails or to send out malicious mails from your domain. #### References - https://learn.microsoft.com/en-us/graph/permissions-reference - https://github.com/f-bader/AzSentinelQueries/blob/master/HuntingQueries/GrantHighPrivilegeMicrosoftGraphPermissions.yaml - https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access ## Sentinel ```KQL AuditLogs | where Category == "ApplicationManagement" | where ActivityDisplayName in ("Add delegated permission grant", "Add app role assignment to service principal") | mv-expand TargetResources | where TargetResources.displayName == "Microsoft Graph" | mv-expand TargetResources.modifiedProperties | extend InitiatedByUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName) | extend AddedPermission = replace_string(tostring(TargetResources_modifiedProperties.newValue),'"','') | extend IP = tostring(todynamic(InitiatedBy).user.ipAddress) | extend ServicePrincipalAppId = iff(OperationName == "Add delegated permission grant", replace_string(tostring(todynamic(TargetResources).modifiedProperties[2].newValue),'"','') , replace_string(tostring(todynamic(TargetResources).modifiedProperties[5].newValue),'"','')) | where AddedPermission has_all ("Mail", ".") | summarize Permissions = make_set(AddedPermission) by ServicePrincipalAppId, IP, InitiatedByUserPrincipalName | extend TotalPermissions = array_length(Permissions) | project TotalPermissions, ServicePrincipalAppId, InitiatedByUserPrincipalName, IP, Permissions | sort by TotalPermissions ```

Explanation

This query is used to list the Microsoft Graph mail permissions that have been added. It looks for audit logs related to application management and filters for activities that involve adding delegated permission grants or app role assignments to service principals. It then expands the target resources and modified properties, extracts relevant information such as the user principal name, added permissions, IP address, and service principal app ID. The query filters for added permissions that include "Mail" and ".", and summarizes the permissions by service principal app ID, IP address, and user principal name. The result is sorted by the total number of permissions. The purpose of this query is to assess the current added permissions and detect any malicious mail permissions added to applications. The risk is that adversaries can use applications to read sensitive mails or send out malicious mails from your domain.

Details

Bert-Jan Pals

Released: November 22, 2023

Tables

AuditLogs

Keywords

Devices,Intune,User,Graph,Mail

Operators

whereCategory=="ApplicationManagement"ActivityDisplayNamein("Add delegated permission grant""Add app role assignment to service principal")mv-expandTargetResourcesTargetResources.displayName=="Microsoft Graph"mv-expandTargetResources.modifiedPropertiesextendInitiatedByUserPrincipalName=tostring(InitiatedBy.user.userPrincipalName)extendAddedPermission=replace_string(tostring(TargetResources_modifiedProperties.newValue),'"','')extendIP=tostring(todynamic(InitiatedBy).user.ipAddress)extendServicePrincipalAppId=iff(OperationName == "Add delegated permission grant"replace_string(tostring(todynamic(TargetResources).modifiedProperties[2].newValue),'"','') replace_string(tostring(todynamic(TargetResources).modifiedProperties[5].newValue),'"',''))whereAddedPermissionhas_all("Mail"".")summarizePermissions=make_set(AddedPermission)byServicePrincipalAppIdIPInitiatedByUserPrincipalNameextendTotalPermissions=array_length(Permissions)projectTotalPermissionsServicePrincipalAppIdInitiatedByUserPrincipalNameIPPermissionssortbyTotalPermissions

KQL Search