Skip to content

Commit 6767181

Browse files
[Rule Tuning] Microsoft Graph Request Email Access by Unusual User and Client (#6378)
* [Rule Tuning] Microsoft Graph Request Email Access by Unusual User and Client * [Rule Tuning] Microsoft Graph Request Email Access by Unusual User and Client * fixing query optimization
1 parent a50dedf commit 6767181

1 file changed

Lines changed: 23 additions & 29 deletions

File tree

rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml

Lines changed: 23 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
creation_date = "2025/05/06"
33
integration = ["azure"]
44
maturity = "production"
5-
updated_date = "2026/06/27"
5+
updated_date = "2026/07/02"
66

77
[rule]
88
author = ["Elastic"]
@@ -11,25 +11,25 @@ Identifies access to email resources via Microsoft Graph API using an first-part
1111
principal. This behavior may indicate an adversary using a phished OAuth refresh token or a Primary Refresh Token (PRT)
1212
to access email resources. The pattern includes requests to Microsoft Graph API endpoints related to email, such as
1313
/me/mailFolders/inbox/messages or /users/{user_id}/messages, using a public client application ID and a user principal
14-
object ID. This is a New Terms rule that only signals if the application ID and user principal object ID have not been
15-
seen doing this activity in the last 14 days.
14+
object ID. This is a New Terms rule that only signals if the application ID, user principal object ID, and source ASN have not been
15+
seen doing this activity historically.
1616
"""
1717
from = "now-9m"
1818
index = ["logs-azure.graphactivitylogs-*"]
1919
language = "kuery"
2020
license = "Elastic License v2"
21-
name = "Microsoft Graph Request Email Access by Unusual User and Client"
21+
name = "Microsoft Graph Email Access by Unusual User and Client"
2222
note = """## Triage and analysis
2323
24-
### Investigating Microsoft Graph Request Email Access by Unusual User and Client
24+
### Investigating Microsoft Graph Email Access by Unusual User and Client
2525
26-
This rule detects instances where a previously unseen or rare Microsoft Graph application client ID accesses email-related APIs, such as `/me/messages`, `/sendMail`, or `/mailFolders/inbox/messages`. These accesses are performed via delegated user credentials using common OAuth scopes like `Mail.Read`, `Mail.ReadWrite`, `Mail.Send`, or `email`. This activity may indicate unauthorized use of a newly consented or compromised application to read or exfiltrate mail content. This is a New Terms rule that only signals if the application ID (`azure.graphactivitylogs.properties.app_id`) and user principal object ID (`azure.graphactivitylogs.properties.user_principal_object_id`) have not been seen doing this activity in the last 14 days.
26+
This rule detects instances where a previously unseen or rare Microsoft Graph application client ID accesses email-related API paths, such as `/v1.0/me/messages`, `/v1.0/me/mailFolders/inbox/messages`, or `/v1.0/users/{id}/messages`. The access is performed with a delegated user token issued to a first-party public client (public client authentication, no client secret), which is the token shape produced by phished OAuth refresh tokens or Primary Refresh Tokens (PRTs). This activity may indicate unauthorized use of a newly consented or compromised application to read or exfiltrate mail content. This is a New Terms rule that only signals if the application ID (`azure.graphactivitylogs.properties.app_id`), user principal object ID (`azure.graphactivitylogs.properties.user_principal_object_id`), and source ASN (`azure.graphactivitylogs.properties.source_asn`) have not been seen doing this activity historically.
2727
2828
### Possible Investigation Steps:
2929
3030
- `azure.graphactivitylogs.properties.app_id`: Investigate the application ID involved. Is it known and sanctioned in your tenant? Pivot to Azure Portal → Enterprise Applications → Search by App ID to determine app details, publisher, and consent status.
31-
- `azure.graphactivitylogs.properties.scopes`: Review the scopes requested by the application. Email-related scopes such as `Mail.ReadWrite` and `Mail.Send` are especially sensitive and suggest the app is interacting with mail content.
32-
- `url.path` / `azure.graphactivitylogs.properties.requestUri`: Determine exactly which mail-related APIs were accessed (e.g., reading inbox, sending messages, enumerating folders).
31+
- `azure.graphactivitylogs.properties.scopes`: When present, review the delegated scopes on the token. Email-related scopes such as `Mail.ReadWrite` and `Mail.Send` are especially sensitive and confirm the token can interact with mail content.
32+
- `url.path`: Determine exactly which mail-related APIs were accessed (e.g., reading inbox, sending messages, enumerating folders).
3333
- `user.id`: Identify the user whose credentials were used. Determine if the user recently consented to a new app, clicked a phishing link, or reported suspicious activity.
3434
- `user_agent.original`: Check for suspicious automation tools (e.g., `python-requests`, `curl`, non-browser agents), which may suggest scripted access.
3535
- `source.ip` and `client.geo`: Investigate the source IP and geography. Look for unusual access from unexpected countries, VPS providers, or anonymizing services.
@@ -80,65 +80,59 @@ timestamp_override = "event.ingested"
8080
type = "new_terms"
8181

8282
query = '''
83-
data_stream.dataset:azure.graphactivitylogs
84-
and azure.graphactivitylogs.properties.app_id:*
85-
and azure.graphactivitylogs.result_signature:200
86-
and azure.graphactivitylogs.properties.c_idtyp:user
87-
and azure.graphactivitylogs.properties.client_auth_method:0
88-
and http.request.method:(DELETE or GET or PATCH or POST or PUT)
89-
and (
90-
(
91-
url.path:(/v1.0/me/* or /v1.0/users/*)
92-
and (
93-
url.path:((*inbox* or *mail* or *messages*) and not *mailboxSettings*)
94-
or azure.graphactivitylogs.properties.requestUri:(*inbox* or *mail* or *messages*)
95-
)
96-
)
97-
or azure.graphactivitylogs.properties.scopes:(Mail.Read or Mail.ReadWrite or Mail.Send)
98-
)
83+
data_stream.dataset:azure.graphactivitylogs and
84+
azure.graphactivitylogs.result_signature:200 and
85+
azure.graphactivitylogs.properties.c_idtyp:user and
86+
azure.graphactivitylogs.properties.client_auth_method:0 and
87+
http.request.method:(DELETE or GET or PATCH or POST or PUT) and
88+
url.path:((/beta/me/* or /beta/users/* or /v1.0/me/* or /v1.0/users/*) and (*inbox* or *mail* or *messages*) and not *mailboxSettings*) and
89+
azure.graphactivitylogs.properties.app_id:* and
90+
azure.graphactivitylogs.properties.user_principal_object_id:* and
91+
source.as.number:*
9992
'''
10093

10194

10295
[[rule.threat]]
10396
framework = "MITRE ATT&CK"
104-
10597
[[rule.threat.technique]]
10698
id = "T1114"
10799
name = "Email Collection"
108100
reference = "https://attack.mitre.org/techniques/T1114/"
109-
110101
[[rule.threat.technique.subtechnique]]
111102
id = "T1114.002"
112103
name = "Remote Email Collection"
113104
reference = "https://attack.mitre.org/techniques/T1114/002/"
114105

106+
107+
115108
[rule.threat.tactic]
116109
id = "TA0009"
117110
name = "Collection"
118111
reference = "https://attack.mitre.org/tactics/TA0009/"
119-
120112
[[rule.threat]]
121113
framework = "MITRE ATT&CK"
122-
123114
[[rule.threat.technique]]
124115
id = "T1550"
125116
name = "Use Alternate Authentication Material"
126117
reference = "https://attack.mitre.org/techniques/T1550/"
127-
128118
[[rule.threat.technique.subtechnique]]
129119
id = "T1550.001"
130120
name = "Application Access Token"
131121
reference = "https://attack.mitre.org/techniques/T1550/001/"
132122

123+
124+
133125
[rule.threat.tactic]
134126
id = "TA0005"
135127
name = "Defense Evasion"
136128
reference = "https://attack.mitre.org/tactics/TA0005/"
129+
137130
[rule.new_terms]
138131
field = "new_terms_fields"
139132
value = [
140133
"azure.graphactivitylogs.properties.app_id",
141134
"azure.graphactivitylogs.properties.user_principal_object_id",
135+
"source.as.number",
142136
]
143137
[[rule.new_terms.history_window_start]]
144138
field = "history_window_start"

0 commit comments

Comments
 (0)