Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
A compromised user account (also called an account takeover) is a type of attack when an attacker gains access to a user account and operates as the user. These types of attacks sometimes cause more damage than the attacker intended. When investigating compromised email accounts, assume that more mail data is compromised than might be indicated by tracing the attacker's actual presence. Depending on the type of data in email messages, you might face regulatory fines unless you can prove that sensitive information wasn't exposed. For example, HIPAA-regulated organizations face significant fines if there's evidence that patient health information (PHI) was exposed. In these cases, attackers are unlikely to be interested in PHI, but organizations still must report data breaches unless they can prove otherwise.
To help you investigate compromised email accounts, we're now auditing accesses of mail data by mail protocols and clients with the MailItemsAccessed mailbox-auditing action. This new audited action helps investigators better understand email data breaches and helps you identify the scope of compromises to specific mail items that might be compromised. The goal of using this new auditing action is forensics defensibility to help assert that a specific piece of mail data wasn't compromised. If an attacker gains access to a specific piece of mail, Exchange Online audits the event even though there's no indication that the mail item was read.
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Microsoft Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.
The MailItemsAccessed mailbox-auditing action
The MailItemsAccessed action is part of Audit (Standard) functionality. It's part of Exchange mailbox auditing and is enabled by default for users that are assigned an Office 365 E3/E5 or Microsoft 365 E3/E5 license.
The MailItemsAccessed mailbox-auditing action covers all mail protocols: POP, IMAP, MAPI, EWS, Exchange ActiveSync, and REST. It also covers both types of accessing mail: sync and bind.
Auditing sync access
Sync operations are only recorded when a mailbox is accessed by a desktop version of the Outlook client for Windows or Mac. During the sync operation, these clients typically download a large set of mail items from the cloud to a local computer. The audit volume for sync operations is huge. So, instead of generating an audit record for each mail item that's synched, we generate an audit event for the mail folder containing items that were synched and assume that all mail items in the synched folder are compromised. The access type is recorded in the OperationProperties field of the audit record.
See step 2 in the Use MailItemsAccessed audit records for forensic investigations section for an example of displaying the sync access type in an audit record.
Auditing bind access
A bind operation is an individual access to an email message. For bind access, the InternetMessageId of individual messages is recorded in the audit record. The MailItemsAccessed audit action records bind operations and then aggregates them into a single audit record. All bind operations that occur within a 2-minute interval are aggregated in a single audit record in the Folders field within the AuditData property. Each message that was accessed is identified by its InternetMessageId. The number of bind operations that were aggregated in the record is displayed in the OperationCount field in the AuditData property.
See step 4 in the Use MailItemsAccessed audit records for forensic investigations section for an example of displaying the bind access type in an audit record.
Throttling of MailItemsAccessed audit records
If Exchange Online generates more than 1,000 MailItemsAccessed audit records in less than 24 hours, it stops generating auditing records for MailItemsAccessed activity. When Exchange Online throttles a mailbox, it doesn't log MailItemsAccessed activity for 24 hours after it throttles the mailbox. If Exchange Online throttles the mailbox, the mailbox might be compromised during this period. Recording MailItemsAccessed activity resumes after the 24-hour period.
Keep the following points in mind about throttling:
- Exchange Online throttles less than 1% of all mailboxes.
- When Exchange Online throttles a mailbox, it only stops auditing audit records for MailItemsAccessed activity. Other mailbox auditing actions continue.
- If Exchange Online throttles a mailbox, audit logs don't record additional MailItemsAccessed activity.
For an example of displaying the IsThrottled
property in an audit record, see Step 1 in the Use MailItemsAccessed audit records for forensic investigations section.
Use MailItemsAccessed audit records for forensic investigations
Mailbox auditing generates audit records for access to email messages so that you can be confident that email messages aren't compromised. For this reason, in circumstances where you're not certain that some data is accessed, assume that it is by recording all mail access activity.
Using MailItemsAccessed audit records for forensics purposes typically happens after a data breach is resolved and the attacker is evicted. To begin your investigation, identify the set of mailboxes that the attacker compromised and determine the time frame when the attacker had access to mailboxes in your organization. Then, use the Search-UnifiedAuditLog cmdlet in Exchange Online PowerShell to search audit records that correspond to the data breach. You can use the Search-UnifiedAuditLog cmdlet to search for audit records for activity performed by one or more users.
Run one of the following commands to search for MailItemsAccessed audit records:
Unified audit log:
Search-UnifiedAuditLog -StartDate 01/06/2020 -EndDate 01/20/2020 -UserIds <user1,user2> -Operations MailItemsAccessed -ResultSize 1000
The following steps show how to use MailItemsAccessed audit records to investigate a compromised user attack. Each step shows the command syntax for the Search-UnifiedAuditLog cmdlet.
Check whether the mailbox is throttled. If so, some mailbox-auditing records aren't logged. If any audit records have the IsThrottled property set to True, assume that for a 24-hour period after the record was generated, any access to the mailbox isn't audited and all mail data is compromised.
To search for MailItemsAccessed records where the mailbox is throttled, run the following command:
Unified audit log:
Search-UnifiedAuditLog -StartDate 01/06/2020 -EndDate 01/20/2020 -UserIds <user1,user2> -Operations MailItemsAccessed -ResultSize 1000 | Where {$_.AuditData -like '*"IsThrottled","Value":"True"*'} | FL
Check for sync activities. If an attacker uses an email client to download messages in a mailbox, they can disconnect the computer from the Internet and access the messages locally without interacting with the server. In this case, mailbox auditing can't audit these activities.
To search for MailItemsAccessed records where the mail items are accessed by a sync operation, run the following command:
Unified audit log:
Search-UnifiedAuditLog -StartDate 01/06/2020 -EndDate 02/20/2020 -UserIds <user1,user2> -Operations MailItemsAccessed -ResultSize 1000 | Where {$_.AuditData -like '*"MailAccessType","Value":"Sync"*'} | FL
Check sync activities to determine if any of them happen in the same context as the one used by the attacker to access the mailbox. Context is identified and differentiated by the IP address of the client computer used to access the mailbox and the mail protocol.
Use the properties listed in the following table to investigate. These properties are located in the AuditData or OperationProperties property. If any of the syncs occur in the same context as the attacker activity, assume the attacker synced all mail items to their client, which means the entire mailbox is compromised.
Property Description ClientInfoString Describes protocol, client (includes version) ClientIPAddress IP address of the client machine. SessionId Session ID helps to differentiate attacker actions vs day-to-day user activities on the same account (useful for compromised accounts) UserId UPN of the user reading the message. Check for bind activities. After performing steps 2 and step 3, you can be confident that all other access to email messages by the attacker is captured in the MailItemsAccessed audit records that have a MailAccessType property with a value of "Bind".
To search for MailItemsAccessed records where the mail items are accessed by a Bind operation, run the following command.
Unified audit log:
Search-UnifiedAuditLog -StartDate 01/06/2020 -EndDate 01/20/2020 -UserIds <user1,user2> -Operations MailItemsAccessed -ResultSize 1000 | Where {$_.AuditData -like '*"MailAccessType","Value":"Bind"*'} | FL
Email messages that are accessed are identified by their internet message ID. You can also check to see if any audit records have the same context as the ones for other attacker activity.
You can use the audit data for bind operations in two different ways:
- Access or collect all email messages the attacker accessed by using the InternetMessageId to find them and then checking to see if any of those messages contains sensitive information.
- Use the InternetMessageId to search audit records related to a set of potentially sensitive email messages. This is useful if you're concerned only about a few messages.
Filtering of duplicate audit records
To remove auditing noise, the system filters out duplicate audit records for the same bind operations that occur within an hour of each other. The system also filters out sync operations at one-hour intervals. An exception to this deduplication process occurs if, for the same InternetMessageId, any of the properties described in the following table are different. If one of these properties is different in a duplicate operation, the system generates a new audit record. The next section describes this process in more detail.
Property | Description |
---|---|
ClientIPAddress | IP address of the client computer. |
ClientInfoString | The client protocol, client used to access the mailbox. |
ParentFolder | The full folder path of the mail item that was accessed. |
Logon_type | The logon type of the user who performed the action. The logon types (and their corresponding Enum value) are Owner (0), Admin (1), or Delegate (2). |
MailAccessType | Whether the access is a bind or a sync operation. |
MailboxUPN | The UPN of the mailbox where the message being read is located. |
User | The UPN of the user reading the message. |
SessionId | The Session ID helps to differentiate attacker actions and day-to-day user activities in the same mailbox (if an account is compromised). For more information about sessions, see Contextualizing attacker activity within sessions in Exchange Online. |