O365 Email Access By Security Administrator

Try in Splunk Security Cloud

Description

The following analytic identifies when a user with sufficient access to O365 Security & Compliance portal uses premium investigation features (Threat Explorer) to directly view email. Adversaries may exploit privileged access with this premium feature to enumerate or exfiltrate sensitive data.

• Type: TTP

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2024-04-01
• Author: Steven Dick
• ID: c6998a30-fef4-4e89-97ac-3bb0123719b4

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1567	Exfiltration Over Web Service	Exfiltration

T1114

Email Collection

Collection

T1114.002

Remote Email Collection

Collection

Kill Chain Phase

• Actions On Objectives
• Exploitation

NIST

• DE.CM

CIS20

• CIS 10

CVE

Search

`o365_management_activity` Workload=SecurityComplianceCenter Operation=AdminMailAccess 
| stats values(Workload) as category, values(MailboxId) as user, values(Operation) as signature, count, min(_time) as firstTime, max(_time) as lastTime by InternetMessageId, UserId 
| rename InternetMessageId as signature_id, UserId as src_user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `o365_email_access_by_security_administrator_filter`

Macros

The SPL above uses the following Macros:

• o365_management_activity
• security_content_ctime

o365_email_access_by_security_administrator_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• Workload
• Operation
• MailboxId
• InternetMessageId
• UserId

How To Implement

You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. Threat Explorer is a premium feature with o365, logging may not be available with proper license.

Known False Positives

Legitamate access by security administators for incident response measures.

Associated Analytic Story

• Data Exfiltration
• Azure Active Directory Account Takeover
• Office 365 Account Takeover

RBA

Risk Score	Impact	Confidence	Message
25.0	50	50	A security administrator $src_user$ accessed email messages for $user$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-investigate-delivered-malicious-email?view=o365-worldwide

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1