Skip to content

[New Rule] Excessive Microsoft 365 Mailbox Items Accessed #4824

New issue
New issue
Open
Task
#4825
Open
[New Rule] Excessive Microsoft 365 Mailbox Items Accessed#4824
Task
#4825
Assignees
terrancedejesus
Labels
Domain: CloudDomain: EmailRule: NewProposal for new ruleTeam: TRADE
@terrancedejesus

Description

@terrancedejesus
terrancedejesus
opened on Jun 18, 2025

Description

Microsoft adds an audit event MailItemsAccessed in M365 audit logs that records when items are accessed from a mailbox. This was added to enable analysts to investigate account takeovers (ATO) and mailbox access. They aggregate the count for mailbox items accessed and provide o365.audit.OperationCount to record this. If >1000 MailItemsAccessed are recorded for a user in 24 hours, then the mailbox is throttled, with the IsThrottled status. They document that <1% of all EXO mailboxes are throttled, making this a plausible signal. Excessive mailbox access is also a common task by adversaries such as Void Blizzard or UTA0352.

Target Ruleset

o365

Target Rule Type

Custom (KQL or Lucene)

Tested ECS Version

No response

Query

event.dataset: "o365.audit" and
    event.provider: "Exchange" and
    event.action: "MailItemsAccessed" and
    event.code: "ExchangeItemAggregated" and
    (
        (
            o365.audit.OperationProperties.Name: "IsThrottled" and
            o365.audit.OperationProperties.Value: "True"
        ) or o365.audit.OperationCount >= 100
    )

New fields required in ECS/data sources for this rule?

No response

Related issues or PRs

References

No response

Redacted Example Data

No response

Metadata

Metadata

Assignees

Labels

Domain: CloudDomain: EmailRule: NewProposal for new ruleTeam: TRADE

Type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions