Exchange workflow MailItemsAccessed operation anomaly

Status: available
Severity: medium
Time window: 14d
Source: github.com/Azure/Azure-Sentinel

Identifies anomalous increases in Exchange mail items accessed operations. The query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns. Sudden increases in execution frequency of sensitive actions should be further investigated for malicious activity. Manually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria. Read more about MailItemsAccessed- https://learn.microsoft.com/en-us/purview/audit-log-investigate-accounts

MITRE ATT&CK coverage

Tactic	Techniques
Collection	`T1114` Email Collection

Event coverage

Provider	Event
M365-ExchangeItemAggregated	MailItemsAccessed

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

M365 Exchange Mailbox Accessed by Unusual Client (Elastic)
M365 Exchange Mailbox Items Accessed Excessively (Elastic)
O365 Multiple Mailboxes Accessed via API (Splunk)
O365 OAuth App Mailbox Access via EWS (Splunk)
O365 OAuth App Mailbox Access via Graph API (Splunk)

Rule body kusto

id: b4ceb583-4c44-4555-8ecf-39f572e827ba
name: Exchange workflow MailItemsAccessed operation anomaly
description: |
  'Identifies anomalous increases in Exchange mail items accessed operations.
  The query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.
  Sudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.
  Manually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.
  Read more about MailItemsAccessed- https://learn.microsoft.com/en-us/purview/audit-log-investigate-accounts'
severity: Medium
status: Available
requiredDataConnectors:
  - connectorId: Office365
    dataTypes:
      - OfficeActivity (Exchange)
queryFrequency: 1d
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Collection
relevantTechniques:
  - T1114
tags:
  - Solorigate
  - NOBELIUM
query: |
  let starttime = 14d;
  let endtime = 1d;
  let timeframe = 1h;
  let scorethreshold = 1.5;
  let percentthreshold = 50;
  // Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.
  let TimeSeriesData =
  OfficeActivity
  | where TimeGenerated  between (startofday(ago(starttime))..startofday(ago(endtime)))
  | where OfficeWorkload=~ "Exchange" and Operation =~ "MailItemsAccessed" and ResultStatus =~ "Succeeded"
  | project TimeGenerated, Operation, MailboxOwnerUPN
  | make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;
  let TimeSeriesAlerts = TimeSeriesData
  | extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')
  | mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)
  | where anomalies > 0
  | project TimeGenerated, Total, baseline, anomalies, score;
  // Joining the flagged outlier from the previous step with the original dataset to present contextual information
  // during the anomalyhour to analysts to conduct investigation or informed decisions.
  TimeSeriesAlerts | where TimeGenerated > ago(2d)
  // Join against base logs since specified timeframe to retrive records associated with the hour of anomoly
  | join kind=innerunique (
      OfficeActivity
      | where TimeGenerated > ago(2d)
      | extend DateHour = bin(TimeGenerated, 1h)
      | where OfficeWorkload=~ "Exchange" and Operation =~ "MailItemsAccessed" and ResultStatus =~ "Succeeded"
      | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress, 1000), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString, 1000) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h)
      | where HourlyCount > 25 // Only considering operations with more than 25 hourly count to reduce False Positivies
      | order by HourlyCount desc
  ) on TimeGenerated
  | extend PercentofTotal = round(HourlyCount/Total, 2) * 100
  | where PercentofTotal > percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events
  | order by PercentofTotal desc
  | project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId, SourceIPMax, IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies
  | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: UserId
      - identifier: Name
        columnName: AccountName
      - identifier: UPNSuffix
        columnName: AccountUPNSuffix
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: Client_IPAddress
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: SourceIPMax
version: 2.0.6
kind: Scheduled

Stages and Predicates

Parameters

let starttime = 14d;
let endtime = 1d;
let timeframe = 1h;
let scorethreshold = 1.5;
let percentthreshold = 50;

The stages below define let TimeSeriesAlerts (the rule's main pipeline source).

Stage 1: `source`

OfficeActivity

Stage 2: `where`

| where TimeGenerated  between (startofday(ago(starttime))..startofday(ago(endtime)))

Stage 3: `where`

| where OfficeWorkload=~ "Exchange" and Operation =~ "MailItemsAccessed" and ResultStatus =~ "Succeeded"

Stage 4: `project`

| project TimeGenerated, Operation, MailboxOwnerUPN

The stages below score time-series anomalies (make-series, series_decompose_anomalies).

Stage 5: `summarize`

| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe

Stage 6: `extend`

| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')

Stage 7: `mv-expand`

| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)

Stage 8: `where`

| where anomalies > 0

Stage 9: `project`

| project TimeGenerated, Total, baseline, anomalies, score

The stages below run on TimeSeriesAlerts (the outer pipeline).

Stage 10: `where`

TimeSeriesAlerts
| where TimeGenerated > ago(2d)

Stage 11: `join`

| join kind=innerunique (
    OfficeActivity
    | where TimeGenerated > ago(2d)
    | extend DateHour = bin(TimeGenerated, 1h)
    | where OfficeWorkload=~ "Exchange" and Operation =~ "MailItemsAccessed" and ResultStatus =~ "Succeeded"
    | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress, 1000), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString, 1000) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h)
    | where HourlyCount > 25
    | order by HourlyCount desc
) on TimeGenerated

Stage 12: `extend`

| extend PercentofTotal = round(HourlyCount/Total, 2) * 100

Stage 13: `where`

| where PercentofTotal > percentthreshold

Stage 14: `sort`

| order by PercentofTotal desc

Stage 15: `project-reorder`

| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId, SourceIPMax, IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies

Stage 16: `extend`

| extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`HourlyCount`	gt	`25` transforms: `cased`
`OfficeWorkload`	eq	`Exchange`
`Operation`	eq	`MailItemsAccessed`
`PercentofTotal`	gt	`50` transforms: `cased`
`ResultStatus`	eq	`Succeeded`
`anomalies`	gt	`0` transforms: `cased`

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

Field	Source
`TimeGenerated`	`project`
`Total`	`project`
`anomalies`	`project`
`baseline`	`project`
`score`	`project`
`PercentofTotal`	`extend`
`AccountName`	`extend`
`AccountUPNSuffix`	`extend`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Exchange workflow MailItemsAccessed operation anomaly

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body kusto

Stages and Predicates

Parameters

Stage 1: `source`

Stage 2: `where`

Stage 3: `where`

Stage 4: `project`

Stage 5: `summarize`

Stage 6: `extend`

Stage 7: `mv-expand`

Stage 8: `where`

Stage 9: `project`

Stage 10: `where`

Stage 11: `join`

Stage 12: `extend`

Stage 13: `where`

Stage 14: `sort`

Stage 15: `project-reorder`

Stage 16: `extend`

Indicators

Output fields

Keyboard shortcuts

Search operators

Exchange workflow MailItemsAccessed operation anomaly

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body kusto

Stages and Predicates

Parameters

Stage 1: source

Stage 2: where

Stage 3: where

Stage 4: project

Stage 5: summarize

Stage 6: extend

Stage 7: mv-expand

Stage 8: where

Stage 9: project

Stage 10: where

Stage 11: join

Stage 12: extend

Stage 13: where

Stage 14: sort

Stage 15: project-reorder

Stage 16: extend

Indicators

Output fields

Stage 1: `source`

Stage 2: `where`

Stage 3: `where`

Stage 4: `project`

Stage 5: `summarize`

Stage 6: `extend`

Stage 7: `mv-expand`

Stage 8: `where`

Stage 9: `project`

Stage 10: `where`

Stage 11: `join`

Stage 12: `extend`

Stage 13: `where`

Stage 14: `sort`

Stage 15: `project-reorder`

Stage 16: `extend`