https://techcommunity.microsoft.com/t5/exchange-team-blog/contextualizing-attacker-activity-within-sessions-in-exchange/ba-p/608801
https://learn.microsoft.com/en-us/purview/audit-log-investigate-accounts
https://learn.microsoft.com/en-us/purview/audit-log-activities
Session ID can help correlate attacker action even when:
- they are using a VPN with many different IP addresses
- they have compromised the corporate VPN
Microsoft are now auditing accesses of mail data by mail protocols and clients with the MailItemsAccessed mailbox-auditing action (https://learn.microsoft.com/en-us/purview/audit-log-investigate-accounts)
This will help identify the scope of compromise to specific mail items
If an attacker gained access to a specific piece of mail, Exchange Online audits the event even though there's no indication that the mail item was read.
The MailItemsAccessed action is part of Audit (Standard) functionality.
It's part of Exchange mailbox auditing and is enabled by default for users that are assigned an Office 365 E3/E5 or Microsoft 365 E3/E5 license.
Sync:
- Sync are actions recorded when the mailbox is accessed by a desktop version of Outlook. The client downloads a lage set of mail items.
- Instead of generating an audit record for each mail item that's synched, we generate an audit event for the mail folder containing items that were synched and assume that all mail items in the synched folder have been compromised. The access type is recorded in the OperationProperties field of the audit record.
Bind:
- Individual access to a mail message
- The InternetMessageId of individual mail messages are recorded in the audit log
- MailItemsAccessed action recordst he bind operations and aggregates into a single audit record
- All bind operations that occur within a 2 minute interval are put into the same audit record in teh folders field with the AuditData property
- The number of bind operations that were aggregated in the record is displayed in the OperationCount field in the AuditData property Source: (https://learn.microsoft.com/en-us/purview/audit-log-investigate-accounts)
Using MailItemsAccessed audit records for forensics purposes is typically performed after a data breach has been resolved and the attacker has been evicted.
To begin your investigation, you should identify the set of mailboxes that they've been compromised and determine the time frame when attacker had access to mailboxes in your organization.
Then, you can use the Search-UnifiedAuditLog or Search-MailboxAuditLog cmdlets in Exchange Online PowerShell to search audit records that correspond to the data breach.
Use the PowerShell below to query. One primary difference between these two cmdlets in that you can use the Search-UnifiedAuditLog cmdlet to search for audit records for activity performed by one or more users. That's because UserIds is a multi-value parameter. The Search-MailboxAuditLog cmdlet searches the mailbox audit log for a single user.
Search-UnifiedAuditLog -StartDate 01/06/2020 -EndDate 01/20/2020 -UserIds <user1,user2> -Operations MailItemsAccessed -ResultSize 1000Search-MailboxAuditLog -Identity <user> -StartDate 01/06/2020 -EndDate 01/20/2020 -Operations MailItemsAccessed -ResultSize 1000 -ShowDetails