MailItemsAccessed by Compromised account
MDCA MDO Mail Items Accessed By Compromised Account
Query
let InputEmailDirection = pack_array("Inbound","Outbound","Intra-org","Unknown");
let SearchWindow = 48h; //Customizable h = hours, d = days;
let AccountObjectIdInput = "c0a9a020-xxxx-xxxx-xxxx-2b5f0f5aa860";
CloudAppEvents
| where Timestamp > ago(SearchWindow)
| where ActionType == "MailItemsAccessed"
| where AccountObjectId =~ AccountObjectIdInput
| extend Folders = parse_json(RawEventData).Folders
| extend FolderItems = Folders[0].FolderItems, OperationCount = tostring(RawEventData.OperationCount)
| mv-expand FolderItems
| extend InternetMessageId = tostring(FolderItems.InternetMessageId)
| project InternetMessageId, AccountObjectId, AccountDisplayName, DeviceType, MailAccessedTime = Timestamp, OperationCount
// Include MailItemsAccessed accessed mails that can and cannot be enriched with EmailEvents info
| join kind=leftouter (EmailEvents
| where EmailDirection in (InputEmailDirection)
| project EmailRecieveTime = Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, InternetMessageId, NetworkMessageId) on InternetMessageId
| project-reorder MailAccessedTime, EmailRecieveTime, SenderFromAddress, RecipientEmailAddress, Subject, OperationCountAbout this query
Explanation
This query is designed to identify and list email access activities performed by a potentially compromised account within a specified time frame. Here's a simplified breakdown of what the query does:
-
Time Frame: It looks at email access activities within the last 48 hours, but this can be adjusted to cover different periods.
-
Account Focus: The query specifically targets activities associated with a particular account, identified by its unique
AccountObjectId. -
Action Type: It filters for actions labeled as "MailItemsAccessed," which indicates that emails were accessed by the account.
-
Data Extraction: The query extracts details about the accessed emails, such as the folders they were in, the number of operations performed, and the unique message IDs.
-
Email Details: It attempts to enrich the data by joining it with additional email event information, such as the time the email was received, the sender's address, the recipient's address, and the email subject.
-
Output: The final output is a list of accessed emails, showing when they were accessed, when they were received, who sent and received them, the email subject, and the number of operations performed on them.
This query is useful for investigating suspicious activities related to email access by compromised accounts, helping security teams understand the scope and details of potential breaches.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators