Query Details
MDCA MDO Mail Items Accessed By Compromised Account
Query
# MailItemsAccessed by Compromised account
## Query Information
#### Description
This query lists the *MailItemsAccessed* actions performed by a suspicious/compromised account.
#### References
- https://learn.microsoft.com/en-us/purview/audit-log-investigate-accounts
### Defender XDR
```KQL
let InputEmailDirection = pack_array("Inbound","Outbound","Intra-org","Unknown");
let SearchWindow = 48h; //Customizable h = hours, d = days;
let AccountObjectIdInput = "c0a9a020-xxxx-xxxx-xxxx-2b5f0f5aa860";
CloudAppEvents
| where Timestamp > ago(SearchWindow)
| where ActionType == "MailItemsAccessed"
| where AccountObjectId =~ AccountObjectIdInput
| extend Folders = parse_json(RawEventData).Folders
| extend FolderItems = Folders[0].FolderItems, OperationCount = tostring(RawEventData.OperationCount)
| mv-expand FolderItems
| extend InternetMessageId = tostring(FolderItems.InternetMessageId)
| project InternetMessageId, AccountObjectId, AccountDisplayName, DeviceType, MailAccessedTime = Timestamp, OperationCount
// Include MailItemsAccessed accessed mails that can and cannot be enriched with EmailEvents info
| join kind=leftouter (EmailEvents
| where EmailDirection in (InputEmailDirection)
| project EmailRecieveTime = Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, InternetMessageId, NetworkMessageId) on InternetMessageId
| project-reorder MailAccessedTime, EmailRecieveTime, SenderFromAddress, RecipientEmailAddress, Subject, OperationCount
```
### Sentinel
```KQL
let InputEmailDirection = pack_array("Inbound","Outbound","Intra-org","Unknown");
let SearchWindow = 48h; //Customizable h = hours, d = days;
let AccountObjectIdInput = "c0a9a020-xxxx-xxxx-xxxx-2b5f0f5aa860";
CloudAppEvents
| where TimeGenerated > ago(SearchWindow)
| where ActionType == "MailItemsAccessed"
| where AccountObjectId =~ AccountObjectIdInput
| extend Folders = parse_json(RawEventData).Folders
| extend FolderItems = Folders[0].FolderItems, OperationCount = tostring(RawEventData.OperationCount)
| mv-expand FolderItems
| extend InternetMessageId = tostring(FolderItems.InternetMessageId)
| project InternetMessageId, AccountObjectId, AccountDisplayName, DeviceType, MailAccessedTime = TimeGenerated, OperationCount
// Include MailItemsAccessed accessed mails that can and cannot be enriched with EmailEvents info
| join kind=leftouter (EmailEvents
| where EmailDirection in (InputEmailDirection)
| project EmailRecieveTime = TimeGenerated, SenderFromAddress, RecipientEmailAddress, Subject, InternetMessageId, NetworkMessageId) on InternetMessageId
| project-reorder MailAccessedTime, EmailRecieveTime, SenderFromAddress, RecipientEmailAddress, Subject, OperationCount
```
Explanation
This query is designed to identify and list email access activities performed by a potentially compromised account within a specified time frame. Here's a simplified breakdown of what the query does:
-
Define Parameters:
- It sets up a list of possible email directions (Inbound, Outbound, Intra-org, Unknown).
- It specifies a time window of 48 hours to search for activities.
- It identifies the specific account of interest using an account object ID.
-
Filter Events:
- It searches through
CloudAppEventsfor actions labeled as "MailItemsAccessed" that occurred within the last 48 hours. - It filters these actions to only include those performed by the specified account.
- It searches through
-
Extract and Expand Data:
- It extracts folder and item details from the raw event data.
- It expands these details to list each accessed mail item individually, capturing the unique message ID and operation count.
-
Join with Email Events:
- It attempts to enrich the accessed mail data by joining it with
EmailEventsdata, matching on the unique message ID. - This step helps to gather additional information about each email, such as the sender, recipient, subject, and the time the email was received.
- It attempts to enrich the accessed mail data by joining it with
-
Project and Reorder Results:
- Finally, it organizes the results to display key details like the time the mail was accessed, the time it was received, sender and recipient addresses, the email subject, and the operation count.
This query helps security analysts investigate potential unauthorized access to email items by a compromised account, providing a detailed view of the accessed emails and related metadata.
Details
Bert-Jan Pals
Released: November 5, 2024
Tables
CloudAppEventsEmailEvents
Keywords
MailItemsAccessedAccountCloudAppEventsEmailEventsDeviceTypeInternetMessageIdAccountObjectIdAccountDisplayNameSenderFromAddressRecipientEmailAddressSubjectNetworkMessageId
Operators
letpack_arrayago===~parse_jsontostringmv-expandprojectjoininproject-reorder