Analyzing Office 365 Audit Logs for Compromise

What Is This

The "Analyzing Office 365 Audit Logs for Compromise" skill enables security professionals and developers to programmatically parse and analyze the Office 365 Unified Audit Logs using the Microsoft Graph API. Its primary goal is to detect signs of Business Email Compromise (BEC) and other account takeover scenarios within Microsoft 365 environments. By automating the extraction and parsing of audit log events, this skill helps identify suspicious activities such as unauthorized email forwarding rule creation, changes in inbox delegation, and abnormal OAuth application consents that may indicate a compromised account.

The capability leverages Office 365’s comprehensive audit logging and the modern Microsoft Graph API to systematically search for key compromise indicators. It is designed to support incident response, threat hunting, and proactive security monitoring by providing actionable insights into potential malicious activities targeting user mailboxes and organizational data.

Why Use It

Email is a critical attack vector, and Office 365 is a major target for attackers seeking to compromise business communications. BEC attacks can result in financial fraud, data exposure, and significant business disruption. Attackers frequently manipulate mailbox rules to forward sensitive correspondence or delegate access to malicious actors, and may abuse OAuth consent flows to establish persistent access.

Manual review of audit logs is time-consuming and error-prone, especially in large environments. This skill automates the collection and parsing of high-value audit events, significantly accelerating investigations and improving detection accuracy. By integrating with the Microsoft Graph API, it enables scalable and consistent analysis across all mailboxes and tenants, supporting both ad hoc investigations and continuous monitoring scenarios.

Key benefits include:

• Rapid detection of mailbox rule modifications and forwarding behaviors
• Identification of unauthorized inbox delegations
• Discovery of suspicious OAuth app grants that bypass traditional monitoring
• Support for compliance, incident response, and proactive threat hunting

How to Use It

To use this skill, you need to query the Unified Audit Log via the Microsoft Graph API, process relevant events, and apply detection logic to identify compromise indicators. Below is a step-by-step workflow and a sample code snippet to illustrate the process.

Prerequisites

• Azure AD App Registration with the following application permissions:
  • AuditLog.Read.All
  • MailboxSettings.Read
  • Mail.Read
• Python 3.9+ with requests and msal libraries (or similar)
• Sufficient privileges in the Office 365 tenant

Step 1:

Authenticate to Microsoft Graph API

import msal

CLIENT_ID = 'your-client-id'
CLIENT_SECRET = 'your-client-secret'
TENANT_ID = 'your-tenant-id'
AUTHORITY = f'https://login.microsoftonline.com/{TENANT_ID}'
SCOPE = ['https://graph.microsoft.com/.default']

app = msal.ConfidentialClientApplication(
    CLIENT_ID, authority=AUTHORITY, client_credential=CLIENT_SECRET
)
result = app.acquire_token_for_client(scopes=SCOPE)
access_token = result['access_token']

Step 2:

Query Unified Audit Log

You can filter for specific event types, such as "New-InboxRule", "Set-Mailbox", or "Add-MailboxPermission", which are often associated with BEC tactics.

import requests

url = 'https://graph.microsoft.com/v1.0/auditLogs/signIns'  # For sign-in events
headers = {'Authorization': f'Bearer {access_token}'}
response = requests.get(url, headers=headers)
data = response.json()
## For mailbox audit events, use the security API or the

Office 365 Management Activity API endpoint

Step 3:

Parse and Analyze Events

Focus on audit events such as:

• Inbox rule creation or modification (New-InboxRule, Set-InboxRule)
• Mail forwarding settings (Set-Mailbox)
• Mailbox delegation changes (Add-MailboxPermission, Set-MailboxPermission)
• Abnormal OAuth app consent grants (ConsentToApp)

Example pseudo-code for detecting suspicious forwarding:

for event in data['value']:
    if event['operation'] in ['New-InboxRule', 'Set-InboxRule']:
        if 'ForwardTo' in event['parameters'] or 'RedirectTo' in event['parameters']:
            # Flag this event as potentially suspicious
            print(f"Suspicious forwarding rule detected: {event}")
    if event['operation'] == 'ConsentToApp':
        # Review OAuth app details for known abuse patterns
        print(f"OAuth consent event: {event}")

Step 4:

Investigate and Respond

Investigate flagged events by correlating with user activity, sign-in logs, and external threat intelligence. Remove malicious rules, revoke delegated access, and reset affected credentials as necessary.

When to Use It

• During investigations of suspected BEC or account takeover incidents within Office 365
• When conducting proactive threat hunting or periodic compromise assessments
• To validate and enhance security monitoring for mailbox rule changes, forwarding, and OAuth consent flows
• As part of security operations center (SOC) workflows and automation pipelines
• When developing detection rules or custom alerting for Office 365 environments

Important Notes

• Ensure your Azure AD app has the required permissions and is restricted to authorized users only.
• The Microsoft Graph API may have rate limits. Implement appropriate error handling and batching for large environments.
• Audit log retention in Office 365 may vary based on licensing. Retrieve and analyze logs promptly.
• Not all mailbox actions are audited by default. Review your organization's audit log policies and ensure appropriate logging is enabled.
• Always validate flagged events in context. Some mailbox rule changes or OAuth consents may be legitimate.
• Stay updated with Microsoft’s official documentation, as API endpoints and event schemas may evolve.

By mastering this skill, you can significantly improve your organization’s ability to detect, investigate, and respond to account compromise threats in Office 365.