Skip to content
Threat Feed
medium advisory

Microsoft Graph API Email Access by Unusual Client and User

Detects anomalous access to email resources via Microsoft Graph API, potentially indicating a compromised OAuth refresh token or Primary Refresh Token (PRT) being used by an attacker.

This rule identifies access to email resources via Microsoft Graph API using a first-party application on behalf of a user principal, which may indicate an adversary using a phished OAuth refresh token or a Primary Refresh Token (PRT) to access email resources. This behavior can lead to unauthorized email access, data exfiltration, and business email compromise. The detection focuses on requests to Microsoft Graph API endpoints related to email, such as /me/mailFolders/inbox/messages or /users/{user_id}/messages, using a public client application ID and a user principal object ID. The rule uses a new_terms aggregation, only signaling if the application ID and user principal object ID combination have not been seen doing this activity in the last 14 days, reducing false positives from common or expected application usage. The detection logic incorporates activity from Microsoft Graph Activity Logs to identify anomalous email access patterns.

Attack Chain

  1. Initial Access: The attacker gains access to a user's credentials, either through phishing, credential stuffing, or by compromising a Primary Refresh Token (PRT). (T1566, T1110)
  2. Token Exploitation: The attacker uses the compromised OAuth refresh token or PRT to authenticate to the Microsoft Graph API.
  3. Application Registration (Optional): The attacker might register a malicious application within Azure AD to facilitate access. (Not explicitly covered but a possibility.)
  4. Graph API Interaction: The attacker makes requests to the Microsoft Graph API, specifically targeting email resources using email-related scopes such as Mail.Read, Mail.ReadWrite, or Mail.Send.
  5. Email Access: The attacker accesses sensitive email data, potentially reading inbox contents, sending emails, or enumerating mail folders via the /me/mailFolders/inbox/messages or /users/{user_id}/messages endpoints. (T1114)
  6. Data Exfiltration/Manipulation: The attacker exfiltrates sensitive information or manipulates email content for malicious purposes.
  7. Persistence: The attacker maintains access by continuously using the compromised token or by establishing new persistence mechanisms.

Impact

A successful attack can lead to significant data breaches, financial losses, and reputational damage. Attackers can gain unauthorized access to sensitive email communications, intellectual property, and customer data. Business email compromise (BEC) is a likely outcome, enabling attackers to conduct fraudulent activities. The number of potential victims is vast, encompassing any organization using Microsoft 365 and relying on Azure Active Directory (Entra ID) for authentication.

Recommendation

  • Deploy the Sigma rule Unusual Graph API Email Access by Client and User to your SIEM to detect anomalous access patterns. Tune the rule by allowlisting known good app_id and user_principal_object_id combinations to reduce false positives.
  • Investigate any alerts generated by the Sigma rule by examining the azure.graphactivitylogs.properties.app_id, user.id, source.ip, and azure.graphactivitylogs.properties.scopes fields in the logs.
  • Implement Conditional Access policies to restrict OAuth consent and risky sign-ins, mitigating the initial access vector. Refer to the references for guidance.
  • Regularly audit and review application permissions within Azure AD to identify and remove any suspicious or overly permissive applications.
  • Monitor azure.auditlogs and azure.signinlogs for recent application grants and risky sign-ins occurring before or after email access.
  • Block known malicious applications by azure.graphactivitylogs.properties.app_id in your Azure AD tenant based on threat intelligence feeds.

Detection coverage 2

Unusual Graph API Email Access by Client and User

medium

Detects unusual combinations of application ID and user principal object ID accessing email resources via Microsoft Graph API.

sigma tactics: collection techniques: T1114 sources: network_connection, azure

Suspicious Azure Graph API Request Methods to Mail Resources

medium

Detects the use of unusual HTTP request methods (PATCH, DELETE, PUT) against Microsoft Graph API endpoints related to email resources, suggesting potential manipulation or deletion of mail data.

sigma tactics: collection techniques: T1114 sources: network_connection, azure

Detection queries are available on the platform. Get full rules →