Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
27 lines (25 sloc) 1.1 KB
id: 0a8f410d-38b5-4d75-90da-32b472b97230
name: Non-owner mailbox login activity
description: |
'This will help you determine if mailbox access observed with Admin/Delegate Logontype.
The logon type indicates mailbox accessed from non-owner user. Exchange allows Admin
and delegate permissions to access other user's inbox.
If your organization has valid admin, delegate access given to users, you can whitelist those and investigate other results.
References: https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#logontype'
requiredDataConnectors:
- connectorId: Office365
dataTypes:
- OfficeActivity
tactics:
- Collection
- Exfiltration
relevantTechniques:
- T1114
- T1020
query: |
let timeframe = 1d;
OfficeActivity
| where TimeGenerated >= ago(timeframe)
| where Operation == "MailboxLogin" and Logon_Type != "Owner"
| summarize count(), min(TimeGenerated), max(TimeGenerated) by Operation, OrganizationName, UserType, UserId, MailboxOwnerUPN, Logon_Type
| extend timestamp = min_TimeGenerated, AccountCustomEntity = UserId
You can’t perform that action at this time.