← Back to SOC feed Coverage →

Mail item accessed

kql MEDIUM Azure-Sentinel
T1566
CloudAppEvents
huntingmicrosoftofficial
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-05-10T11:00:00Z · Confidence: medium

Hunt Hypothesis

End users accessing a high volume of email items within a short timeframe may indicate reconnaissance or data exfiltration activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential insider threats or adversary attempts to gather sensitive information.

KQL Query

CloudAppEvents
| where Timestamp > ago(30d)
| extend Record= (parse_json(RawEventData)).RecordType
| where Record == 50
| take 10

Analytic Rule Definition

id: 81ede5df-2ec3-40a5-9dff-1fe6a841079d
name: Mail item accessed
description: |
  This query helps reviewing emails accessed by end users using cloud app events data
description-detailed: |
  This query helps reviewing emails accessed by end users in their mailboxes using cloud app events data.
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - CloudAppEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  CloudAppEvents
  | where Timestamp > ago(30d)
  | extend Record= (parse_json(RawEventData)).RecordType
  | where Record == 50
  | take 10
version: 1.0.0

Required Data Sources

Sentinel TableNotes
CloudAppEventsEnsure this data connector is enabled

MITRE ATT&CK Context

References

False Positive Guidance

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/General/Mail item accessed.yaml