O365 Mailbox Read Access Granted to Application

Name:O365 Mailbox Read Access Granted to Application
id:27ab61c5-f08a-438a-b4d3-325e666490b3
version:3
date:2024-09-30
author:Mauricio Velazco, Splunk
status:production
type:TTP
Description:The following analytic identifies instances where the Mail.Read Graph API permissions are granted to an application registration within an Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in application permissions within the AzureActiveDirectory workload. This activity is significant because the Mail.Read permission allows applications to access and read all emails within a user's mailbox, which often contain sensitive or confidential information. If confirmed malicious, this could lead to data exfiltration, spear-phishing attacks, or further compromise based on the information gathered from the emails.
Data_source:

• -O365 Update application.

search:`o365_management_activity` Operation="Update application."
| eval json_data=mvindex('ModifiedProperties{}.NewValue', 0)
| eval json_data=replace(json_data, "^\[\s*", "")
| eval json_data=replace(json_data, "\s*\]$", "")
| spath input=json_data path=RequiredAppPermissions{}.EntitlementId output=EntitlementIds
| eval match_found=mvfind(EntitlementIds, "810c84a8-4a9e-49e6-bf7d-12d183f40d01")
| where isnotnull(match_found)
| stats max(_time) as lastTime values(EntitlementIds) as EntitlementIds by Operation, user, object
| `security_content_ctime(lastTime)`
| `o365_mailbox_read_access_granted_to_application_filter`

how_to_implement:You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
known_false_positives:There are legitimate scenarios in wich an Application registrations requires Mailbox read access. Filter as needed.
References:
  -https://attack.mitre.org/techniques/T1098/003/
  -https://attack.mitre.org/techniques/T1114/002/
  -https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf
  -https://www.cisa.gov/sites/default/files/publications/Supply_Chain_Compromise_Detecting_APT_Activity_from_known_TTPs.pdf
  -https://learn.microsoft.com/en-us/graph/permissions-reference
  -https://graphpermissions.merill.net/permission/Mail.Read
drilldown_searches:
 name:'View the detection results for - "$user$"'
 search:'%original_detection_search% | search user = "$user$"'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
 name:'View risk events for the last 7 days for - "$user$"'
 search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
tags:
  analytic_story:
    - 'Office 365 Persistence Mechanisms'
  asset_type:O365 Tenant
  confidence:50
  impact:90
  message:Application registration $object$ was grandes mailbox read access by $user$
  mitre_attack_id:
    - 'T1114.002'
    - 'T1114'
    - 'T1098'
    - 'T1098.003'
  observable:
    name:'user'
    type:'User'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  risk_score:45
  required_fields:
    - 'Operation'
    - '_time'
    - 'ModifiedProperties{}.NewValue'
  security_domain:access

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_grant_mail_read/o365_grant_mail_read.log
  source: o365
  sourcetype: o365:management:activity
manual_test:None