Enumeration of inboxes accessible by a user in the Microsoft Graph API

/*
 * Copyright 2025 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

rule ms_graph_security_open_inbox_enumeration {

  meta:
    author = "Google Cloud Security"
    description = "Identify enumeration of inboxes across the Entra ID tenant. This detection is based on the Invoke-GraphOpenInboxFinder in GraphRunner but the concepts are applicable to other tools that scan for accessible inboxes."
    rule_id = "mr_94dbfeae-2a20-472d-b359-9784b66213e7"
    rule_name = "Enumeration of inboxes accessible by a user in the Microsoft Graph API"
    assumption = "User agent and IP address of the admin consoles that normally interact with the application listing can be filtered out to reduce detections."
    reference = "https://github.com/dafthack/GraphRunner/blob/main/GraphRunner.ps1"
    type = "Alert"
    data_source = "MS Graph Activity Logs"
    platform = "Azure"
    severity = "Medium"
    priority = "Medium"

  events:
    $api.metadata.event_type = "NETWORK_HTTP"
    $api.metadata.product_event_type = "Microsoft Graph Activity"
    re.regex($api.target.url, `^https://graph.microsoft.com/v1.0/users/.*/mailFolders/Inbox/messages$`) nocase
    //Can be tuned for specific User Agent strings being used
    //$api.network.http.user_agent = /PowerShell/ nocase
    $api.network.http.method = "GET"
    $api.principal.ip[0] = $ip
    $api.network.session_id = $session
    re.capture($api.target.url, `^https://graph.microsoft.com/v1.0/users/(.*)/mailFolders/Inbox/messages$`) = $scanned_user

  match:
    $ip, $session over 5m

  outcome:
    $risk_score = 65
    $event_count = count_distinct($api.metadata.id)
    $requesting_user_guid = array_distinct($api.principal.user.userid)
    //Using $ip placeholder variable since we specify first value in repeated field only, if repeated field is used, it can cause duplicate counts in sums below
    $requesting_ip = array_distinct($ip)
    $user_agent = array_distinct($api.network.http.user_agent)
    $location = array_distinct($api.principal.location.name)
    $target_application_id_guid = array_distinct($api.target.resource.product_object_id)
    $session_id = array_distinct($api.network.session_id)
    $total_scanned_users = count($scanned_user)
    $successfully_scanned_users = array_distinct(if($api.network.http.response_code = 200, $scanned_user,""))
    //Provide breakdown of inboxes that the user scanning can access, can't find and are unauthorized based on http response code
    $successful_access = sum(if($api.network.http.response_code = 200, 1,0))
    $forbidden_access = sum(if($api.network.http.response_code = 403, 1,0))
    $inbox_not_found = sum(if($api.network.http.response_code = 404, 1,0))
    $inbox_other = sum(if($api.network.http.response_code != 404
        and $api.network.http.response_code != 403
        and $api.network.http.response_code != 200, 1,0))

  condition:
    //Can remove the total_scanned_users to detect everytime this endpoint is called or use this as a threshold to eliminate stray calls
    $api and $total_scanned_users > 10
    //Another option is to trigger based on the number of successful inboxes enumerated instead of the total number of inboxes scanned
    //$api and $successful_access > 2
}