detection.wiki

Exchange mailbox item operations (aggregated) M365-ExchangeItemAggregated

2 operations, identified by Operation in the audit log.

OperationDescription
_catch_allCatch-all for M365-ExchangeItemAggregated rules matching the RecordType but no specific Operation.
MailItemsAccessedA mail client or application accessed mailbox items via MAPI, EWS, or REST; logged for OAuth-authenticated access and admin access.

_catch_all: Exchange mailbox item operations (aggregated) (catch-all)

#
RecordType
M365-ExchangeItemAggregated

Description

Catch-all for M365-ExchangeItemAggregated rules matching the RecordType but no specific Operation.

Fields #

NameDescription
RecordTypeAuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
OperationThe name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
WorkloadThe Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
ResultStatusWhether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
UserIdUPN of the user who performed the action; system-account and app@sharepoint values also appear.
UserTypeType of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
UserKeyAlternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
ClientIPIPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
ObjectIdFor SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
OrganizationIdGUID of the tenant's Office 365 organization (constant per tenant).
IdUnique identifier (GUID) for the audit record.
CreationTimeUTC date/time when the audit record was generated.
ScopeSource of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
AppAccessContextApplication context for the user or service principal that performed the action.
LogonTypeType of user who accessed the mailbox and performed the operation (Owner, Admin, Delegate, ...).
MailboxOwnerUPNEmail address of the person who owns the accessed mailbox.
MailboxGuidExchange GUID of the accessed mailbox.
LogonUserSidSID of the user who performed the operation.
ExternalAccessTrue if the logon user's domain differs from the mailbox owner's domain.
ClientInfoStringInformation about the email client used (browser/Outlook version, mobile device info).
ClientIPAddressIP address of the device used when the operation was logged.
ClientProcessNameThe email client used to access the mailbox.
SessionIdUnique session identifier; helps separate attacker actions from day-to-day activity on a compromised account.

References #

MailItemsAccessed

#
RecordType
M365-ExchangeItemAggregated

Description

A mail client or application accessed mailbox items via MAPI, EWS, or REST; logged for OAuth-authenticated access and admin access.

Fields #

NameDescription
RecordTypeAuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
OperationThe name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
WorkloadThe Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
ResultStatusWhether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
UserIdUPN of the user who performed the action; system-account and app@sharepoint values also appear.
UserTypeType of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
UserKeyAlternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
ClientIPIPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
ObjectIdFor SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
OrganizationIdGUID of the tenant's Office 365 organization (constant per tenant).
IdUnique identifier (GUID) for the audit record.
CreationTimeUTC date/time when the audit record was generated.
ScopeSource of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
AppAccessContextApplication context for the user or service principal that performed the action.
LogonTypeType of user who accessed the mailbox and performed the operation (Owner, Admin, Delegate, ...).
MailboxOwnerUPNEmail address of the person who owns the accessed mailbox.
MailboxGuidExchange GUID of the accessed mailbox.
LogonUserSidSID of the user who performed the operation.
ExternalAccessTrue if the logon user's domain differs from the mailbox owner's domain.
ClientInfoStringInformation about the email client used (browser/Outlook version, mobile device info).
ClientIPAddressIP address of the device used when the operation was logged.
ClientProcessNameThe email client used to access the mailbox.
SessionIdUnique session identifier; helps separate attacker actions from day-to-day activity on a compromised account.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
EventTypeeqMailItemsAccessed2 ruleselastic
Provider_NameeqExchange2 ruleselastic
OperationeqMailItemsAccessed1 rulekusto, splunk
ResultStatuseqSucceeded1 rulekusto
anomaliesgt01 rulekusto
m365::UserTypein01 ruleelastic
m365::UserTypein101 ruleelastic
m365::UserTypein21 ruleelastic
m365::UserTypein31 ruleelastic
m365::WorkloadeqExchange1 rulekusto

Detection Rules #

View all rules referencing this event →

Elastic #

  • M365 Exchange Mailbox Items Accessed Excessively source medium: Identifies an excessive number of Microsoft 365 mailbox items accessed by a user either via aggregated counts or throttling. Microsoft audits mailbox access via the MailItemsAccessed event, which is triggered when a user accesses mailbox items. If more than 1000 mailbox items are accessed within a 24-hour period, it is then throttled. Excessive mailbox access may indicate an adversary attempting to exfiltrate sensitive information or perform reconnaissance on a target's mailbox. This rule detects both the throttled and unthrottled events with a high threshold.
  • M365 Exchange Mailbox Accessed by Unusual Client source medium: Identifies suspicious Microsoft 365 mail access by ClientAppId. This rule detects when a user accesses their mailbox using a client application that is not typically used by the user, which may indicate potential compromise or unauthorized access attempts. Adversaries may use custom or third-party applications to access mailboxes, bypassing standard security controls. First-party Microsoft applications are also abused after OAuth tokens are compromised, allowing adversaries to access mailboxes without raising suspicion.

Kusto #

YARA-L #

References #