You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[Rule Tuning] Microsoft Graph Request Email Access by Unusual User and Client (#6378)
* [Rule Tuning] Microsoft Graph Request Email Access by Unusual User and Client
* [Rule Tuning] Microsoft Graph Request Email Access by Unusual User and Client
* fixing query optimization
Copy file name to clipboardExpand all lines: rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml
+23-29Lines changed: 23 additions & 29 deletions
Original file line number
Diff line number
Diff line change
@@ -2,7 +2,7 @@
2
2
creation_date = "2025/05/06"
3
3
integration = ["azure"]
4
4
maturity = "production"
5
-
updated_date = "2026/06/27"
5
+
updated_date = "2026/07/02"
6
6
7
7
[rule]
8
8
author = ["Elastic"]
@@ -11,25 +11,25 @@ Identifies access to email resources via Microsoft Graph API using an first-part
11
11
principal. This behavior may indicate an adversary using a phished OAuth refresh token or a Primary Refresh Token (PRT)
12
12
to access email resources. The pattern includes requests to Microsoft Graph API endpoints related to email, such as
13
13
/me/mailFolders/inbox/messages or /users/{user_id}/messages, using a public client application ID and a user principal
14
-
object ID. This is a New Terms rule that only signals if the application ID and user principal object ID have not been
15
-
seen doing this activity in the last 14 days.
14
+
object ID. This is a New Terms rule that only signals if the application ID, user principal object ID, and source ASN have not been
15
+
seen doing this activity historically.
16
16
"""
17
17
from = "now-9m"
18
18
index = ["logs-azure.graphactivitylogs-*"]
19
19
language = "kuery"
20
20
license = "Elastic License v2"
21
-
name = "Microsoft Graph Request Email Access by Unusual User and Client"
21
+
name = "Microsoft Graph Email Access by Unusual User and Client"
22
22
note = """## Triage and analysis
23
23
24
-
### Investigating Microsoft Graph Request Email Access by Unusual User and Client
24
+
### Investigating Microsoft Graph Email Access by Unusual User and Client
25
25
26
-
This rule detects instances where a previously unseen or rare Microsoft Graph application client ID accesses email-related APIs, such as `/me/messages`, `/sendMail`, or `/mailFolders/inbox/messages`. These accesses are performed via delegated user credentials using common OAuth scopes like `Mail.Read`, `Mail.ReadWrite`, `Mail.Send`, or `email`. This activity may indicate unauthorized use of a newly consented or compromised application to read or exfiltrate mail content. This is a New Terms rule that only signals if the application ID (`azure.graphactivitylogs.properties.app_id`) and user principal object ID (`azure.graphactivitylogs.properties.user_principal_object_id`)have not been seen doing this activity in the last 14 days.
26
+
This rule detects instances where a previously unseen or rare Microsoft Graph application client ID accesses email-related API paths, such as `/v1.0/me/messages`, `/v1.0/me/mailFolders/inbox/messages`, or `/v1.0/users/{id}/messages`. The access is performed with a delegated user token issued to a first-party public client (public client authentication, no client secret), which is the token shape produced by phished OAuth refresh tokens or Primary Refresh Tokens (PRTs). This activity may indicate unauthorized use of a newly consented or compromised application to read or exfiltrate mail content. This is a New Terms rule that only signals if the application ID (`azure.graphactivitylogs.properties.app_id`), user principal object ID (`azure.graphactivitylogs.properties.user_principal_object_id`), and source ASN (`azure.graphactivitylogs.properties.source_asn`) have not been seen doing this activity historically.
27
27
28
28
### Possible Investigation Steps:
29
29
30
30
- `azure.graphactivitylogs.properties.app_id`: Investigate the application ID involved. Is it known and sanctioned in your tenant? Pivot to Azure Portal → Enterprise Applications → Search by App ID to determine app details, publisher, and consent status.
31
-
- `azure.graphactivitylogs.properties.scopes`: Review the scopes requested by the application. Email-related scopes such as `Mail.ReadWrite` and `Mail.Send` are especially sensitive and suggest the app is interacting with mail content.
32
-
- `url.path` / `azure.graphactivitylogs.properties.requestUri`: Determine exactly which mail-related APIs were accessed (e.g., reading inbox, sending messages, enumerating folders).
31
+
- `azure.graphactivitylogs.properties.scopes`: When present, review the delegated scopes on the token. Email-related scopes such as `Mail.ReadWrite` and `Mail.Send` are especially sensitive and confirm the token can interact with mail content.
32
+
- `url.path`: Determine exactly which mail-related APIs were accessed (e.g., reading inbox, sending messages, enumerating folders).
33
33
- `user.id`: Identify the user whose credentials were used. Determine if the user recently consented to a new app, clicked a phishing link, or reported suspicious activity.
34
34
- `user_agent.original`: Check for suspicious automation tools (e.g., `python-requests`, `curl`, non-browser agents), which may suggest scripted access.
35
35
- `source.ip` and `client.geo`: Investigate the source IP and geography. Look for unusual access from unexpected countries, VPS providers, or anonymizing services.
0 commit comments