← Back to Explore
splunk_escuTTP
O365 Mailbox Read Access Granted to Application
The following analytic identifies instances where the Mail.Read Graph API permissions are granted to an application registration within an Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in application permissions within the AzureActiveDirectory workload. This activity is significant because the Mail.Read permission allows applications to access and read all emails within a user's mailbox, which often contain sensitive or confidential information. If confirmed malicious, this could lead to data exfiltration, spear-phishing attacks, or further compromise based on the information gathered from the emails.
Detection Query
`o365_management_activity` Operation="Update application." | eval json_data=mvindex('ModifiedProperties{}.NewValue',0) | eval json_data=replace(json_data,"^\[\s*","") | eval json_data=replace(json_data,"\s*\]$","") | spath input=json_data path=RequiredAppPermissions{}.EntitlementId output=EntitlementIds | eval match_found=mvfind(EntitlementIds, "810c84a8-4a9e-49e6-bf7d-12d183f40d01") | where isnotnull(match_found) | fillnull | stats count earliest(_time) as firstTime max(_time) as lastTime values(EntitlementIds) as EntitlementIds by signature, user, dest, vendor_account, vendor_product, object, src | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_read_access_granted_to_application_filter`Author
Mauricio Velazco, Splunk
Created
2026-03-10
Data Sources
O365 Update application.
References
- https://attack.mitre.org/techniques/T1098/003/
- https://attack.mitre.org/techniques/T1114/002/
- https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf
- https://www.cisa.gov/sites/default/files/publications/Supply_Chain_Compromise_Detecting_APT_Activity_from_known_TTPs.pdf
- https://learn.microsoft.com/en-us/graph/permissions-reference
- https://graphpermissions.merill.net/permission/Mail.Read
Tags
Office 365 Persistence Mechanisms
Raw Content
name: O365 Mailbox Read Access Granted to Application
id: 27ab61c5-f08a-438a-b4d3-325e666490b3
version: 8
date: '2026-03-10'
author: Mauricio Velazco, Splunk
status: production
type: TTP
data_source:
- O365 Update application.
description: The following analytic identifies instances where the Mail.Read Graph API permissions are granted to an application registration within an Office 365 tenant. It leverages O365 audit logs, specifically events related to changes in application permissions within the AzureActiveDirectory workload. This activity is significant because the Mail.Read permission allows applications to access and read all emails within a user's mailbox, which often contain sensitive or confidential information. If confirmed malicious, this could lead to data exfiltration, spear-phishing attacks, or further compromise based on the information gathered from the emails.
search: "`o365_management_activity` Operation=\"Update application.\" | eval json_data=mvindex('ModifiedProperties{}.NewValue',0) | eval json_data=replace(json_data,\"^\\[\\s*\",\"\") | eval json_data=replace(json_data,\"\\s*\\]$\",\"\") | spath input=json_data path=RequiredAppPermissions{}.EntitlementId output=EntitlementIds | eval match_found=mvfind(EntitlementIds, \"810c84a8-4a9e-49e6-bf7d-12d183f40d01\") | where isnotnull(match_found) | fillnull | stats count earliest(_time) as firstTime max(_time) as lastTime values(EntitlementIds) as EntitlementIds by signature, user, dest, vendor_account, vendor_product, object, src | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_mailbox_read_access_granted_to_application_filter`"
how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
known_false_positives: There are legitimate scenarios in wich an Application registrations requires Mailbox read access. Filter as needed.
references:
- https://attack.mitre.org/techniques/T1098/003/
- https://attack.mitre.org/techniques/T1114/002/
- https://www.mandiant.com/sites/default/files/2022-08/remediation-hardening-strategies-for-m365-defend-against-apt29-white-paper.pdf
- https://www.cisa.gov/sites/default/files/publications/Supply_Chain_Compromise_Detecting_APT_Activity_from_known_TTPs.pdf
- https://learn.microsoft.com/en-us/graph/permissions-reference
- https://graphpermissions.merill.net/permission/Mail.Read
drilldown_searches:
- name: View the detection results for - "$user$"
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: Application registration $object$ was grandes mailbox read access by $user$
risk_objects:
- field: user
type: user
score: 50
threat_objects: []
tags:
analytic_story:
- Office 365 Persistence Mechanisms
asset_type: O365 Tenant
mitre_attack_id:
- T1098.003
- T1114.002
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: access
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_grant_mail_read/o365_grant_mail_read.log
source: o365
sourcetype: o365:management:activity