A threat actor with the right permissions and credentials can access and collect confidential information of interest right away. One example would be the collection of e-mails. An adversary can use Azure AD registered applications with Mail.Read or Mail.ReadWrite permissions to collect e-mails from a signed-in user mailbox or all mailboxes. This would depend on the type of permission (Delegated or Role) granted to the application. In this document, we are going to access the mailbox of a user via an application with Mail.ReadWrite delegated permissions.
- Authorization:
- Resource: Azure Microsoft Graph
- Permission Type: Delegated
- Permissions
- Mail.ReadWrite
- Resource: Azure Microsoft Graph
- Input:
- Microsoft Graph OAuth access token
We need to make sure our access token has permissions to read mail. You can get that information while getting the OAuth access token with a SAML assertion in the previous step
$uri = "https://graph.microsoft.com/v1.0/me/messages"
$header = @{Authorization = "Bearer $OAuthAccessToken"}
$mailbox = Invoke-RestMethod –Uri $uri –Headers $Header –Method GET –ContentType "application/json"
$mailbox
$mailbox.value[0].from
$mailbox.value[0].subject
We do not have to parse the messages in this step. The simple action to access the mailbox generates telemetry that we can aggregate and create detections with.
From a defensive perspective, we can audit access to a mailbox with the MailItemsAccessed mailbox audit action available as part of Exchange mailbox auditing.