Query Details

MailItemsAccessed by Compromised account

MDCA MDO Mail Items Accessed By Compromised Account

Query

let InputEmailDirection = pack_array("Inbound","Outbound","Intra-org","Unknown");
let SearchWindow = 48h; //Customizable h = hours, d = days;
let AccountObjectIdInput = "c0a9a020-xxxx-xxxx-xxxx-2b5f0f5aa860";
CloudAppEvents
| where Timestamp > ago(SearchWindow)
| where ActionType == "MailItemsAccessed"
| where AccountObjectId =~ AccountObjectIdInput
| extend Folders = parse_json(RawEventData).Folders
| extend FolderItems = Folders[0].FolderItems, OperationCount = tostring(RawEventData.OperationCount)
| mv-expand FolderItems
| extend InternetMessageId = tostring(FolderItems.InternetMessageId)
| project InternetMessageId, AccountObjectId, AccountDisplayName, DeviceType, MailAccessedTime = Timestamp, OperationCount
// Include MailItemsAccessed accessed mails that can and cannot be enriched with EmailEvents info
| join kind=leftouter (EmailEvents 
    | where EmailDirection in (InputEmailDirection) 
    | project EmailRecieveTime = Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, InternetMessageId, NetworkMessageId) on InternetMessageId
| project-reorder MailAccessedTime, EmailRecieveTime, SenderFromAddress, RecipientEmailAddress, Subject, OperationCount

About this query

Explanation

This query is designed to identify and list email access activities performed by a potentially compromised account within a specified time frame. Here's a simplified breakdown of what the query does:

  1. Time Frame: It looks at email access activities within the last 48 hours, but this can be adjusted to cover different periods.

  2. Account Focus: The query specifically targets activities associated with a particular account, identified by its unique AccountObjectId.

  3. Action Type: It filters for actions labeled as "MailItemsAccessed," which indicates that emails were accessed by the account.

  4. Data Extraction: The query extracts details about the accessed emails, such as the folders they were in, the number of operations performed, and the unique message IDs.

  5. Email Details: It attempts to enrich the data by joining it with additional email event information, such as the time the email was received, the sender's address, the recipient's address, and the email subject.

  6. Output: The final output is a list of accessed emails, showing when they were accessed, when they were received, who sent and received them, the email subject, and the number of operations performed on them.

This query is useful for investigating suspicious activities related to email access by compromised accounts, helping security teams understand the scope and details of potential breaches.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

CloudAppEventsEmailEvents

Keywords

MailItemsAccessedAccountCloudAppEventsEmailEventsDeviceTypeInternetMessageIdAccountObjectIdAccountDisplayNameEmailDirectionSenderFromAddressRecipientEmailAddressSubjectNetworkMessageId

Operators

letpack_arrayagowhere===~extendparse_jsontostringmv-expandprojectjoinkind=leftouterproject-reorder

Actions

GitHub