Query Details
RULE 06 M365 Exchange Mass Email Download
Query
// Rule : M365 - Exchange Online Mass Email Download (eDiscovery / OWA Abuse)
// Severity: High
// Tactics : Collection, Exfiltration
// MITRE : T1114.001 (Email Collection: Local Email Collection),
// T1530 (Data from Cloud Storage)
// Freq : PT1H Period: PT1H
// Description: Detects users downloading or exporting a large volume of emails
// via OWA MessageViewed, MessageDownloaded, or eDiscovery export operations
// in a single hour — insider threat or compromised account signal.
//==========================================================================================
let MassDownloadThreshold = 200; // emails exported/viewed in 1 hour
let LookbackPeriod = 1h;
OfficeActivity
| where TimeGenerated > ago(LookbackPeriod)
| where RecordType in ("ExchangeItem", "ExchangeItemGroup", "ExchangeAdmin")
| where Operation in (
"MailItemsAccessed", "MessageViewed", "FolderBind",
"SearchQueryInitiatedExchange", "New-MailboxExportRequest",
"New-ComplianceSearch", "StartComplianceSearch",
"New-ComplianceSearchAction")
| summarize
OperationCount = count(),
Operations = make_set(Operation, 10),
Folders = make_set(FolderPath, 10),
ClientIPs = make_set(ClientIP, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserId, MailboxOwnerUPN
| where OperationCount >= MassDownloadThreshold
or Operations has "New-MailboxExportRequest"
or Operations has "New-ComplianceSearchAction"
| extend AlertSeverity = case(
Operations has "New-MailboxExportRequest", "High",
OperationCount >= 500, "High",
"Medium")
| project
TimeGenerated = LastSeen,
UserId,
MailboxOwnerUPN,
OperationCount,
Operations,
Folders,
ClientIPs,
AlertSeverity
Explanation
This query is designed to detect potentially suspicious activities related to the downloading or exporting of a large number of emails from Exchange Online, which could indicate an insider threat or a compromised account. Here's a simplified breakdown:
-
Purpose: The query identifies users who download or export a large volume of emails via Outlook Web Access (OWA) or eDiscovery operations within a single hour.
-
Threshold: It flags users who access or export 200 or more emails in one hour.
-
Data Source: It examines activities recorded in the
OfficeActivitytable, focusing on specific operations related to email access and export. -
Operations Monitored: The query looks for operations such as viewing messages, accessing mail items, initiating searches, and starting export requests.
-
Alert Criteria:
- Users with 200 or more email-related operations in an hour.
- Users who initiate mailbox export requests or compliance search actions.
-
Severity Levels:
- High severity is assigned if a mailbox export request is detected or if the operation count is 500 or more.
- Medium severity is assigned otherwise.
-
Output: The query outputs details such as the time of the last detected activity, user ID, mailbox owner, number of operations, types of operations, folders accessed, client IPs, and the alert severity.
In essence, this query helps in identifying and alerting on potential data exfiltration activities by monitoring high-volume email access or export actions in Exchange Online.
Details
David Alonso
Released: March 18, 2026
Tables
Keywords
Operators