Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2025/05/06"
integration = ["azure"]
maturity = "production"
updated_date = "2026/06/27"
updated_date = "2026/07/02"

[rule]
author = ["Elastic"]
Expand All @@ -11,25 +11,25 @@ Identifies access to email resources via Microsoft Graph API using an first-part
principal. This behavior may indicate an adversary using a phished OAuth refresh token or a Primary Refresh Token (PRT)
to access email resources. The pattern includes requests to Microsoft Graph API endpoints related to email, such as
/me/mailFolders/inbox/messages or /users/{user_id}/messages, using a public client application ID and a user principal
object ID. This is a New Terms rule that only signals if the application ID and user principal object ID have not been
seen doing this activity in the last 14 days.
object ID. This is a New Terms rule that only signals if the application ID, user principal object ID, and source ASN have not been
seen doing this activity historically.
Comment thread
terrancedejesus marked this conversation as resolved.
"""
from = "now-9m"
index = ["logs-azure.graphactivitylogs-*"]
language = "kuery"
license = "Elastic License v2"
name = "Microsoft Graph Request Email Access by Unusual User and Client"
name = "Microsoft Graph Email Access by Unusual User and Client"
note = """## Triage and analysis

### Investigating Microsoft Graph Request Email Access by Unusual User and Client
### Investigating Microsoft Graph Email Access by Unusual User and Client

This rule detects instances where a previously unseen or rare Microsoft Graph application client ID accesses email-related APIs, such as `/me/messages`, `/sendMail`, or `/mailFolders/inbox/messages`. These accesses are performed via delegated user credentials using common OAuth scopes like `Mail.Read`, `Mail.ReadWrite`, `Mail.Send`, or `email`. This activity may indicate unauthorized use of a newly consented or compromised application to read or exfiltrate mail content. This is a New Terms rule that only signals if the application ID (`azure.graphactivitylogs.properties.app_id`) and user principal object ID (`azure.graphactivitylogs.properties.user_principal_object_id`) have not been seen doing this activity in the last 14 days.
This rule detects instances where a previously unseen or rare Microsoft Graph application client ID accesses email-related API paths, such as `/v1.0/me/messages`, `/v1.0/me/mailFolders/inbox/messages`, or `/v1.0/users/{id}/messages`. The access is performed with a delegated user token issued to a first-party public client (public client authentication, no client secret), which is the token shape produced by phished OAuth refresh tokens or Primary Refresh Tokens (PRTs). This activity may indicate unauthorized use of a newly consented or compromised application to read or exfiltrate mail content. This is a New Terms rule that only signals if the application ID (`azure.graphactivitylogs.properties.app_id`), user principal object ID (`azure.graphactivitylogs.properties.user_principal_object_id`), and source ASN (`azure.graphactivitylogs.properties.source_asn`) have not been seen doing this activity historically.
Comment thread
terrancedejesus marked this conversation as resolved.

### Possible Investigation Steps:

- `azure.graphactivitylogs.properties.app_id`: Investigate the application ID involved. Is it known and sanctioned in your tenant? Pivot to Azure Portal → Enterprise Applications → Search by App ID to determine app details, publisher, and consent status.
- `azure.graphactivitylogs.properties.scopes`: Review the scopes requested by the application. Email-related scopes such as `Mail.ReadWrite` and `Mail.Send` are especially sensitive and suggest the app is interacting with mail content.
- `url.path` / `azure.graphactivitylogs.properties.requestUri`: Determine exactly which mail-related APIs were accessed (e.g., reading inbox, sending messages, enumerating folders).
- `azure.graphactivitylogs.properties.scopes`: When present, review the delegated scopes on the token. Email-related scopes such as `Mail.ReadWrite` and `Mail.Send` are especially sensitive and confirm the token can interact with mail content.
- `url.path`: Determine exactly which mail-related APIs were accessed (e.g., reading inbox, sending messages, enumerating folders).
- `user.id`: Identify the user whose credentials were used. Determine if the user recently consented to a new app, clicked a phishing link, or reported suspicious activity.
- `user_agent.original`: Check for suspicious automation tools (e.g., `python-requests`, `curl`, non-browser agents), which may suggest scripted access.
- `source.ip` and `client.geo`: Investigate the source IP and geography. Look for unusual access from unexpected countries, VPS providers, or anonymizing services.
Expand Down Expand Up @@ -80,65 +80,59 @@ timestamp_override = "event.ingested"
type = "new_terms"

query = '''
data_stream.dataset:azure.graphactivitylogs
and azure.graphactivitylogs.properties.app_id:*
and azure.graphactivitylogs.result_signature:200
and azure.graphactivitylogs.properties.c_idtyp:user
and azure.graphactivitylogs.properties.client_auth_method:0
and http.request.method:(DELETE or GET or PATCH or POST or PUT)
and (
(
url.path:(/v1.0/me/* or /v1.0/users/*)
and (
url.path:((*inbox* or *mail* or *messages*) and not *mailboxSettings*)
or azure.graphactivitylogs.properties.requestUri:(*inbox* or *mail* or *messages*)
)
)
or azure.graphactivitylogs.properties.scopes:(Mail.Read or Mail.ReadWrite or Mail.Send)
)
data_stream.dataset:azure.graphactivitylogs and
azure.graphactivitylogs.result_signature:200 and
azure.graphactivitylogs.properties.c_idtyp:user and
azure.graphactivitylogs.properties.client_auth_method:0 and
http.request.method:(DELETE or GET or PATCH or POST or PUT) and
url.path:((/beta/me/* or /beta/users/* or /v1.0/me/* or /v1.0/users/*) and (*inbox* or *mail* or *messages*) and not *mailboxSettings*) and
azure.graphactivitylogs.properties.app_id:* and
azure.graphactivitylogs.properties.user_principal_object_id:* and
source.as.number:*
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1114"
name = "Email Collection"
reference = "https://attack.mitre.org/techniques/T1114/"

[[rule.threat.technique.subtechnique]]
id = "T1114.002"
name = "Remote Email Collection"
reference = "https://attack.mitre.org/techniques/T1114/002/"



[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1550"
name = "Use Alternate Authentication Material"
reference = "https://attack.mitre.org/techniques/T1550/"

[[rule.threat.technique.subtechnique]]
id = "T1550.001"
name = "Application Access Token"
reference = "https://attack.mitre.org/techniques/T1550/001/"



[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"

[rule.new_terms]
field = "new_terms_fields"
value = [
"azure.graphactivitylogs.properties.app_id",
"azure.graphactivitylogs.properties.user_principal_object_id",
"source.as.number",
]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
Expand Down
Loading