Microsoft Graph API Email Access by Unusual Client and User
Detects anomalous access to email resources via Microsoft Graph API, potentially indicating a compromised OAuth refresh token or Primary Refresh Token (PRT) being used by an attacker.
This rule identifies access to email resources via Microsoft Graph API using a first-party application on behalf of a user principal, which may indicate an adversary using a phished OAuth refresh token or a Primary Refresh Token (PRT) to access email resources. This behavior can lead to unauthorized email access, data exfiltration, and business email compromise. The detection focuses on requests to Microsoft Graph API endpoints related to email, such as /me/mailFolders/inbox/messages or /users/{user_id}/messages, using a public client application ID and a user principal object ID. The rule uses a new_terms aggregation, only signaling if the application ID and user principal object ID combination have not been seen doing this activity in the last 14 days, reducing false positives from common or expected application usage. The detection logic incorporates activity from Microsoft Graph Activity Logs to identify anomalous email access patterns.
Attack Chain
- Initial Access: The attacker gains access to a user's credentials, either through phishing, credential stuffing, or by compromising a Primary Refresh Token (PRT). (T1566, T1110)
- Token Exploitation: The attacker uses the compromised OAuth refresh token or PRT to authenticate to the Microsoft Graph API.
- Application Registration (Optional): The attacker might register a malicious application within Azure AD to facilitate access. (Not explicitly covered but a possibility.)
- Graph API Interaction: The attacker makes requests to the Microsoft Graph API, specifically targeting email resources using email-related scopes such as
Mail.Read,Mail.ReadWrite, orMail.Send. - Email Access: The attacker accesses sensitive email data, potentially reading inbox contents, sending emails, or enumerating mail folders via the
/me/mailFolders/inbox/messagesor/users/{user_id}/messagesendpoints. (T1114) - Data Exfiltration/Manipulation: The attacker exfiltrates sensitive information or manipulates email content for malicious purposes.
- Persistence: The attacker maintains access by continuously using the compromised token or by establishing new persistence mechanisms.
Impact
A successful attack can lead to significant data breaches, financial losses, and reputational damage. Attackers can gain unauthorized access to sensitive email communications, intellectual property, and customer data. Business email compromise (BEC) is a likely outcome, enabling attackers to conduct fraudulent activities. The number of potential victims is vast, encompassing any organization using Microsoft 365 and relying on Azure Active Directory (Entra ID) for authentication.
Recommendation
- Deploy the Sigma rule
Unusual Graph API Email Access by Client and Userto your SIEM to detect anomalous access patterns. Tune the rule by allowlisting known goodapp_idanduser_principal_object_idcombinations to reduce false positives. - Investigate any alerts generated by the Sigma rule by examining the
azure.graphactivitylogs.properties.app_id,user.id,source.ip, andazure.graphactivitylogs.properties.scopesfields in the logs. - Implement Conditional Access policies to restrict OAuth consent and risky sign-ins, mitigating the initial access vector. Refer to the references for guidance.
- Regularly audit and review application permissions within Azure AD to identify and remove any suspicious or overly permissive applications.
- Monitor
azure.auditlogsandazure.signinlogsfor recent application grants and risky sign-ins occurring before or after email access. - Block known malicious applications by
azure.graphactivitylogs.properties.app_idin your Azure AD tenant based on threat intelligence feeds.
Detection coverage 2
Unusual Graph API Email Access by Client and User
mediumDetects unusual combinations of application ID and user principal object ID accessing email resources via Microsoft Graph API.
Suspicious Azure Graph API Request Methods to Mail Resources
mediumDetects the use of unusual HTTP request methods (PATCH, DELETE, PUT) against Microsoft Graph API endpoints related to email resources, suggesting potential manipulation or deletion of mail data.
Detection queries are available on the platform. Get full rules →