The MailItemsAccessed Throttling rule detects potential adversary behavior involving excessive or unusual access to mailbox items, which may indicate reconnaissance or data exfiltration attempts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromises associated with advanced threats like Nobelium.
KQL Query
let starttime = 1d;
CloudAppEvents
| where Timestamp between (startofday(ago(starttime))..now())
| where ActionType == "MailItemsAccessed"
| extend isThrottled=RawEventData['OperationProperties'][1]
| where isnotempty(RawEventData['ClientAppId'] ) and isThrottled has "True" and RawEventData['AppId'] has "00000003-0000-0000-c000-000000000000"//GrapAPI Id
| project Timestamp, RawEventData['OrganizationId'],AccountObjectId,UserAgent
id: 67c763f7-c4fd-4b0f-9d4b-19246d1ec6d7
name: MailItemsAccessed Throttling [Nobelium]
description: |
The MailItemsAccessed action is part of the new Advanced Audit functionality of Microsoft Defender XDR. It's part of Exchange mailbox auditing and is enabled by default for users that have an Office 365 or Microsoft 365 E5 license, or for organizations with a Microsoft 365 E5 Compliance add-on subscription.
If more than 1,000 MailItemsAccessed audit records are generated in less than 24 hours, Exchange Online will stop generating auditing records for MailItemsAccessed activity. When a mailbox is throttled, MailItemsAccessed activity will not be logged for 24 hours after the mailbox was throttled. If this occurs, there's a potential that mailbox could have been compromised during this period. The recording of MailItemsAccessed activity will be resumed following a 24-hour period.
The query is looking for MailItemsAccessed Throttling events where the operation is done by a ClientApplication.
See The MailItemsAccessed mailbox auditing action.
Reference - https://docs.microsoft.com/microsoft-365/compliance/mailitemsaccessed-forensics-investigations?view=o365-worldwide#the-mailitemsaccessed-mailbox-auditing-action
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Exfiltration
tags:
- Nobelium
query: |
let starttime = 1d;
CloudAppEvents
| where Timestamp between (startofday(ago(starttime))..now())
| where ActionType == "MailItemsAccessed"
| extend isThrottled=RawEventData['OperationProperties'][1]
| where isnotempty(RawEventData['ClientAppId'] ) and isThrottled has "True" and RawEventData['AppId'] has "00000003-0000-0000-c000-000000000000"//GrapAPI Id
| project Timestamp, RawEventData['OrganizationId'],AccountObjectId,UserAgent
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: A system administrator accesses mailbox audit logs using Microsoft 365 Security & Compliance Center to review user activity for compliance purposes.
Filter/Exclusion: Exclude access events where the user is a Global Administrator or has the Mailbox Audit Log Reader role.
Scenario: A Power Automate flow is configured to automatically process incoming emails and access mailbox items as part of a data ingestion process.
Filter/Exclusion: Exclude events where the UserAgent or ClientIP matches known Power Automate or Microsoft Flow infrastructure IPs.
Scenario: A scheduled mailbox export job (e.g., using Exchange Online PowerShell or Microsoft Graph API) runs nightly to archive old emails.
Filter/Exclusion: Exclude events where the Operation is “ExportMailbox” or where the UserAgent includes “Microsoft.Exchange.Export”.
Scenario: A Microsoft Teams meeting recording is accessed by a user to review a past session, triggering mailbox access through the Teams client.
Filter/Exclusion: Exclude events where the ClientApplication is “Microsoft Teams” and the Operation is related to “meeting recording retrieval”.
Scenario: An Exchange Online admin uses Exchange Admin Center (EAC) to manually review mailbox access logs for troubleshooting.
Filter/Exclusion: Exclude events where the User has the Exchange Admin role or the Operation is “AuditLogSearch”.