Administrators accessing email accounts may indicate potential lateral movement or privilege escalation by adversaries seeking to compromise internal communications. SOC teams should proactively hunt for this behavior to identify unauthorized access attempts and mitigate the risk of data exfiltration or command and control activities.
KQL Query
CloudAppEvents
| where ActionType == "AdminMailAccess"
| extend data = RawEventData["ExtendedProperties"]
| extend OpenedMailbox = data[1].["Value"]
| extend OpenedEmail = url_decode(tostring(data[2].["Value"]))
| project AccountDisplayName, ActionType, OpenedMailbox, OpenedEmail
| join EmailEvents on $left.OpenedEmail == $right.InternetMessageId
| project Timestamp , Actor = AccountDisplayName, ActionType, OpenedMailbox, SenderFromAddress, RecipientEmailAddress, Subject
| order by Timestamp desc
id: e55e178e-48ba-4313-918a-2d3e16a95441
name: Hunt for Admin email access
description: |
This query helps report on email access by administrators
description-detailed: |
This query helps report on email access by administrators using the CloudAppEvents table log information.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1078
query: |
CloudAppEvents
| where ActionType == "AdminMailAccess"
| extend data = RawEventData["ExtendedProperties"]
| extend OpenedMailbox = data[1].["Value"]
| extend OpenedEmail = url_decode(tostring(data[2].["Value"]))
| project AccountDisplayName, ActionType, OpenedMailbox, OpenedEmail
| join EmailEvents on $left.OpenedEmail == $right.InternetMessageId
| project Timestamp , Actor = AccountDisplayName, ActionType, OpenedMailbox, SenderFromAddress, RecipientEmailAddress, Subject
| order by Timestamp desc
version: 1.0.0| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job to Send Daily Reports
Description: A legitimate scheduled job runs daily to send email reports to admin team members.
Filter/Exclusion: Exclude entries where the email action is part of a known scheduled job (e.g., job_name = "Daily_Report_Sender" or task_name = "Send_Daily_Report").
Scenario: Admin User Accessing Email for Support Purposes
Description: An admin user accesses an email account to assist with user support or troubleshooting.
Filter/Exclusion: Exclude access events where the user is an admin and the email account is a support mailbox (e.g., email_address LIKE "%support@%" or user_role = "Support_Admin").
Scenario: Email Integration with Ticketing System
Description: An admin account is used to send emails from a ticketing system (e.g., ServiceNow, Zendesk) to notify users of ticket updates.
Filter/Exclusion: Exclude emails sent from known integration tools (e.g., source_app = "ServiceNow" or integration_tool = "Zendesk_Email_Notification").
Scenario: Email Access for System Monitoring
Description: An admin accesses an email account to monitor system alerts or notifications from monitoring tools like Splunk or Nagios.
Filter/Exclusion: Exclude access events where the email is associated with a monitoring tool (e.g., email_address LIKE "%monitoring@%" or tool_name = "Splunk_Alert_Email").
Scenario: Email Access for Multi-Factor Authentication (MFA) Verification
Description: An admin accesses an email account to receive MFA codes for authentication.
Filter/Exclusion: Exclude access events where the email is used for MFA verification (e.g., action = "MFA_Code_Request" or