diff --git a/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml b/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml index be1e163ee44..d8d9788d881 100644 --- a/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml +++ b/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/06" integration = ["azure"] maturity = "production" -updated_date = "2026/06/27" +updated_date = "2026/07/02" [rule] author = ["Elastic"] @@ -11,25 +11,25 @@ Identifies access to email resources via Microsoft Graph API using an first-part principal. This behavior may indicate an adversary using a phished OAuth refresh token or a Primary Refresh Token (PRT) to access email resources. The pattern includes requests to Microsoft Graph API endpoints related to email, such as /me/mailFolders/inbox/messages or /users/{user_id}/messages, using a public client application ID and a user principal -object ID. This is a New Terms rule that only signals if the application ID and user principal object ID have not been -seen doing this activity in the last 14 days. +object ID. This is a New Terms rule that only signals if the application ID, user principal object ID, and source ASN have not been +seen doing this activity historically. """ from = "now-9m" index = ["logs-azure.graphactivitylogs-*"] language = "kuery" license = "Elastic License v2" -name = "Microsoft Graph Request Email Access by Unusual User and Client" +name = "Microsoft Graph Email Access by Unusual User and Client" note = """## Triage and analysis -### Investigating Microsoft Graph Request Email Access by Unusual User and Client +### Investigating Microsoft Graph Email Access by Unusual User and Client -This rule detects instances where a previously unseen or rare Microsoft Graph application client ID accesses email-related APIs, such as `/me/messages`, `/sendMail`, or `/mailFolders/inbox/messages`. These accesses are performed via delegated user credentials using common OAuth scopes like `Mail.Read`, `Mail.ReadWrite`, `Mail.Send`, or `email`. This activity may indicate unauthorized use of a newly consented or compromised application to read or exfiltrate mail content. This is a New Terms rule that only signals if the application ID (`azure.graphactivitylogs.properties.app_id`) and user principal object ID (`azure.graphactivitylogs.properties.user_principal_object_id`) have not been seen doing this activity in the last 14 days. +This rule detects instances where a previously unseen or rare Microsoft Graph application client ID accesses email-related API paths, such as `/v1.0/me/messages`, `/v1.0/me/mailFolders/inbox/messages`, or `/v1.0/users/{id}/messages`. The access is performed with a delegated user token issued to a first-party public client (public client authentication, no client secret), which is the token shape produced by phished OAuth refresh tokens or Primary Refresh Tokens (PRTs). This activity may indicate unauthorized use of a newly consented or compromised application to read or exfiltrate mail content. This is a New Terms rule that only signals if the application ID (`azure.graphactivitylogs.properties.app_id`), user principal object ID (`azure.graphactivitylogs.properties.user_principal_object_id`), and source ASN (`azure.graphactivitylogs.properties.source_asn`) have not been seen doing this activity historically. ### Possible Investigation Steps: - `azure.graphactivitylogs.properties.app_id`: Investigate the application ID involved. Is it known and sanctioned in your tenant? Pivot to Azure Portal → Enterprise Applications → Search by App ID to determine app details, publisher, and consent status. -- `azure.graphactivitylogs.properties.scopes`: Review the scopes requested by the application. Email-related scopes such as `Mail.ReadWrite` and `Mail.Send` are especially sensitive and suggest the app is interacting with mail content. -- `url.path` / `azure.graphactivitylogs.properties.requestUri`: Determine exactly which mail-related APIs were accessed (e.g., reading inbox, sending messages, enumerating folders). +- `azure.graphactivitylogs.properties.scopes`: When present, review the delegated scopes on the token. Email-related scopes such as `Mail.ReadWrite` and `Mail.Send` are especially sensitive and confirm the token can interact with mail content. +- `url.path`: Determine exactly which mail-related APIs were accessed (e.g., reading inbox, sending messages, enumerating folders). - `user.id`: Identify the user whose credentials were used. Determine if the user recently consented to a new app, clicked a phishing link, or reported suspicious activity. - `user_agent.original`: Check for suspicious automation tools (e.g., `python-requests`, `curl`, non-browser agents), which may suggest scripted access. - `source.ip` and `client.geo`: Investigate the source IP and geography. Look for unusual access from unexpected countries, VPS providers, or anonymizing services. @@ -80,65 +80,59 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -data_stream.dataset:azure.graphactivitylogs - and azure.graphactivitylogs.properties.app_id:* - and azure.graphactivitylogs.result_signature:200 - and azure.graphactivitylogs.properties.c_idtyp:user - and azure.graphactivitylogs.properties.client_auth_method:0 - and http.request.method:(DELETE or GET or PATCH or POST or PUT) - and ( - ( - url.path:(/v1.0/me/* or /v1.0/users/*) - and ( - url.path:((*inbox* or *mail* or *messages*) and not *mailboxSettings*) - or azure.graphactivitylogs.properties.requestUri:(*inbox* or *mail* or *messages*) - ) - ) - or azure.graphactivitylogs.properties.scopes:(Mail.Read or Mail.ReadWrite or Mail.Send) - ) +data_stream.dataset:azure.graphactivitylogs and + azure.graphactivitylogs.result_signature:200 and + azure.graphactivitylogs.properties.c_idtyp:user and + azure.graphactivitylogs.properties.client_auth_method:0 and + http.request.method:(DELETE or GET or PATCH or POST or PUT) and + url.path:((/beta/me/* or /beta/users/* or /v1.0/me/* or /v1.0/users/*) and (*inbox* or *mail* or *messages*) and not *mailboxSettings*) and + azure.graphactivitylogs.properties.app_id:* and + azure.graphactivitylogs.properties.user_principal_object_id:* and + source.as.number:* ''' [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1114" name = "Email Collection" reference = "https://attack.mitre.org/techniques/T1114/" - [[rule.threat.technique.subtechnique]] id = "T1114.002" name = "Remote Email Collection" reference = "https://attack.mitre.org/techniques/T1114/002/" + + [rule.threat.tactic] id = "TA0009" name = "Collection" reference = "https://attack.mitre.org/tactics/TA0009/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" - [[rule.threat.technique.subtechnique]] id = "T1550.001" name = "Application Access Token" reference = "https://attack.mitre.org/techniques/T1550/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + [rule.new_terms] field = "new_terms_fields" value = [ "azure.graphactivitylogs.properties.app_id", "azure.graphactivitylogs.properties.user_principal_object_id", + "source.as.number", ] [[rule.new_terms.history_window_start]] field = "history_window_start"