Microsoft has released information on its Advanced Audit techniques used in its Microsoft 365 platform. The tools are impressive. First, it allows firms to retain audit logs in all Exchange, SharePoint and Azure Active Directory audit records for one year with the ability to increase that audit log retention for 10 years with a license add-on. This 10-year retention will allow firms to perform investigations and respond to regulatory, legal, and internal obligations. All other audit logs will be retained for 90 days as a default.
MailItemsAccessed log event replaces MessageBind
When an intrusion occurs, the first question asked is: What did the attacker have access to? Microsoft has exposed the “MailItemsAccessed” event that can help you determine if an attacker gained access to sensitive information and the extent of the breach. If an attacker merely gained access to email messages, the MailItemsAccessed will be triggered even if there is no overt evidence that the attacker read the email.
MailItemsAccessed replaces the old MessageBind event logging and exposes delegate or owner actions on a mailbox. It also exposes actions taken by a syncing event, not just a mail client event. If the intrusion is through a third-party sync application, you will be able to review that access as well. MailItemsAccessed events are also less noisy in your logging than with MessageBind.
Look for mailbox throttling
If you believe your mailboxes have been compromised, check if the mailbox has been throttled, which would mean that the system won’t have complete audit logs available to you. Search through the unified audit log to determine if you have any throttled periods to review:
Search-UnifiedAuditLog -StartDate 02/01/2021 -EndDate 02/02/2021 -UserIds <user1,user2> -Operations MailItemsAccessed -ResultSize 1000 | Where {$_.AuditData -like '*"IsThrottled","Value":"True"*'} | FL
Look for sync or bind activities
Next, review for any sync or bind activities that may have occurred during this time. Microsoft’s documentation has more information on these processes.
Given the numerous Microsoft 365 links, I recommend bookmarking the community site listing of all the key administrator portals used by Microsoft services. Find the link to the Microsoft 365 compliance center and log in with global administrator rights. Scroll down to the “Solutions” section and click on the “Audit” section. On the right side of the pane is the audit log search tool. Choose “Accessed mailbox items” in the “Exchange mailbox activities” drop-down menu.
Susan BradleyThe resulting search will provide you information regarding what IP address accessed the InternetMessageID and at what time. From this you should be able to review the MessageIDs and what potential attachments were also accessed by the attackers.
Susan BradleyYou can use the same interface to review sent messages. Once again, use the audit log search tool and this time use the “Sent” message to review those items and to narrow down what the attackers viewed or accessed through your sent folders.
If you’ve been tracking the various tools and resources for the SolarWinds attacks, you will notice that many of these scripts look for the MailItemsAccessed and report on it. For example, in the CISA’s Sparrow script the following PowerShell section includes a query that looks for mailaccessed items.
If ($AppIdInvestigation -eq "Yes"){
If ($LicenseAnswer -eq "Yes"){
#Searches for the AppID to see if it accessed mail items.
Write-Verbose "Searching for $SusAppId in the MailItemsAccessed operation in the UAL."
$SusMailItems = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -Operations "MailItemsAccessed" -ResultSize 5000 -FreeText $SusAppId -Verbose | Select-Object -ExpandProperty AuditData | Convertfrom-Json
#You can modify the resultant CSV output by changing the -CsvName parameter
#By default, it will show up as MailItems_Operations_Export.csv
Export-UALData -ExportDir $ExportDir -UALInput $SusMailItems -CsvName "MailItems_Operations_Export" -WorkloadType "EXO"
} else {
Write-Host "MailItemsAccessed query will be skipped as it is not present without an E5/G5 license."
Why Advanced Audit should be part of all license levels
Security is always a balance between needs and budgets, between costs and licensing fees. Microsoft is becoming the de facto leader in security both in terms of solutions and revenues generated. That leadership is also building a divide between the haves and have nots—or rather, those who have the proper E5 or G5 licensing for the tools and those who don’t.
Exchange expert Tony Redmond wrote in March 2020 that this auditing item has been a long time coming. However, I disagree with his viewpoint that the need for making the MailItemsAccessed event a premium security event that businesses must pay per user for is appropriate. Given the increasing attacks on cloud properties, auditing and logging should be built into the platform and not a premium item. While I may not always need these events, I need them available when an intrusion occurs to investigate what happened in my environment.
Microsoft states that we should “assume breach”. They need to assume we will be breached as well and ensure that the foundational resources for investigation are included with the basic Microsoft 365 that is provided to even the most basic of customers. It is not enough that these resources are available to be purchased; they should be included in the product natively.
The normal auditing on Exchange without an E5 license includes tracking update, movetodeleteditems, softdelete, harddelete, updatefolderpermissions, updateinboxrules, and updatecalendardelegation. As Joe Stocker wrote, “Without MailItemsAccessed, we could only say that the attacker had the capability of accessing all mailbox contents, but we couldn’t say which exact emails were accessed.” Without this key auditing tool, you may not be able to narrow the focus and better limit your investigation and determine the impact on your organization.
Review your needs for these advanced auditing techniques and determine if your organization needs the ability to identify exactly what the attackers accessed in your environment. You may need additional licenses to narrow your investigations.