OAuth applications accessing user mail via GraphAPI may indicate unauthorized access or data exfiltration by adversaries leveraging compromised credentials. SOC teams should proactively hunt for this behavior to identify potential Nobelium-style attacks that exploit OAuth integrations to access sensitive email data.
KQL Query
CloudAppEvents
| where Timestamp >= ago(1h)
| where ActionType == "MailItemsAccessed"
| where RawEventData has "00000003-0000-0000-c000-000000000000" // performance
| where RawEventData has "ClientAppId"
| extend rawData = parse_json(RawEventData)
| extend AppId = tostring(parse_json(rawData.AppId))
| where AppId == "00000003-0000-0000-c000-000000000000" // graph API
| extend OAuthAppId = tostring(parse_json(rawData.ClientAppId)) // extract OAuthAppId
| summarize by OAuthAppId
id: 19cbed50-3554-44ed-b8de-90f275b69c8a
name: OAuth Apps accessing user mail via GraphAPI [Nobelium]
description: |
This query helps you review all OAuth applications accessing user mail via Graph. It could return a significant number of results depending on how many applications are deployed in the environment.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Exfiltration
tags:
- Nobelium
query: |
CloudAppEvents
| where Timestamp >= ago(1h)
| where ActionType == "MailItemsAccessed"
| where RawEventData has "00000003-0000-0000-c000-000000000000" // performance
| where RawEventData has "ClientAppId"
| extend rawData = parse_json(RawEventData)
| extend AppId = tostring(parse_json(rawData.AppId))
| where AppId == "00000003-0000-0000-c000-000000000000" // graph API
| extend OAuthAppId = tostring(parse_json(rawData.ClientAppId)) // extract OAuthAppId
| summarize by OAuthAppId
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Scheduled email backup using Microsoft 365 Backup Tools
Description: A legitimate scheduled job using Microsoft 365 Backup Tools (e.g., Veeam, AvePoint) accesses user mail via Graph API to perform backups.
Filter/Exclusion: where activityDisplayName contains "backup" or activityDisplayName contains "backup tool"
Scenario: Admin task to review user mailbox permissions
Description: An admin uses the Microsoft 365 Admin Center or PowerShell to check mailbox permissions, which may trigger access via Graph API.
Filter/Exclusion: where userPrincipalName contains "admin" or userPrincipalName contains "administrator"
Scenario: Integration with third-party email archiving service (e.g., Mimecast)
Description: A third-party email archiving service (e.g., Mimecast, Symantec) uses OAuth to access user mail via Graph API for compliance or retention purposes.
Filter/Exclusion: where clientAppDisplayName contains "Mimecast" or clientAppDisplayName contains "Symantec"
Scenario: User-initiated mailbox migration using Microsoft 365 Migration Wizard
Description: A user or admin initiates a mailbox migration using the Microsoft 365 Migration Wizard, which may involve Graph API access.
Filter/Exclusion: where activityDisplayName contains "migration" or activityDisplayName contains "move mailbox"
Scenario: Automated report generation using Power BI or Power Automate
Description: A Power BI or Power Automate workflow accesses user mail via Graph API to gather data for reporting purposes.
Filter/Exclusion: where clientAppDisplayName contains "Power BI" or clientAppDisplayName contains "Power Automate"