Enable the MailItemsAccessed Event for Exchange Online Mailboxes

Posted on by Tony Redmond

Time to Review Mailbox Auditing Configurations

Paul Robichaux’s recent article describing five errors Microsoft made which led to the Storm-0558 attack made me think about the MailItemsAccessed event. This was the first “premium” or high-value audit event launched by Microsoft in an attempt to monetize auditing through the introduction of what is now Microsoft Purview Audit (Premium) (aka Microsoft 365 advanced auditing). Purview Audit Premium is included in Office 365 E5 and Microsoft 365 E5 and other add-on licenses. Purview Audit Standard is available to Office 365 E3 and Microsoft 365 E3 customers

In his article, Paul points out that tenant administrators for a federal executive civilian branch agency noted unusual activity captured in MailItemsAccessed events. Exchange Online captures these events (Figure 1) when mailboxes belonging to licensed accounts access mail messages. Being able to know that someone (or some process) other than the owner accessed messages in a mailbox is a good indication that something’s wrong.

Details of a MailItemsAccessed audit event
Figure 1: Details of a MailItemsAccessed audit event

To emphasize the point about how important MailItemsAccessed events can be, Microsoft’s documentation explains how to use the events in a forensic investigation. This is what might have happened to detect some of the Storm-0588 infiltration. According to a Cybersecurity and Infrastructure Security Agency (CISA) report analyzing Storm-0558, “The affected FCEB agency identified suspicious activity by leveraging enhanced logging—specifically of MailItemsAccessed events—and an established baseline of normal Outlook activity (e.g., expected AppID). The MailItemsAccessed event enables detection of otherwise difficult to detect adversarial activity.”

The Cost of Security

As Paul notes, some organizations don’t use MailItemsAccessed because they didn’t want to pay for enhanced auditing. Although avoiding cost is a reasonable perspective, it does raise the issue of why Microsoft insists that customers pay extra to log events that are so important for investigation of potential incidents. Some feel it’s an example of extracting additional revenue from a captive market. After all, the 400 million Office 365 monthly active users don’t exactly have a choice of auditing provider.

On July 19, Microsoft decided that it was best to reverse course and announced that they would make enhanced logging available to Office 365 E3/Microsoft 365 E3 tenants, saying “customers will receive deeper visibility into security data, including detailed logs of email access and more than 30 other types of log data previously only available at the Microsoft Purview Audit (Premium) subscription level. In addition to new logging events becoming available, Microsoft is also increasing the default retention period for Audit Standard customers from 90 days to 180 days.”

Audit Updates Coming in September 2023

According to Microsoft, they will deploy the necessary updates to expose the additional audit events and to increase audit event retention to 180 days to all commercial and government customers during September 2023. The update hasn’t reached my tenant yet because any attempt to enable the MailItemsAccessed event for a mailbox with an Office 365 E3 license fails as follows:

Set-Mailbox -Identity Lotte.Vetler -AuditOwner @{Add="MailItemsAccessed"}

Set-Mailbox: |Microsoft.Exchange.Management.Tasks.RecipientTaskException|Auditing of MailItemsAccessed event is only available for users with appropriate license. Please visit the documentation to know more about this.

When the update lands, Microsoft hasn’t said if they will retrospectively enable the MailItemsAccessed event for mailboxes with Office 365 E3 or Microsoft 365 E3 licenses. It’s entirely possible that Microsoft will not update mailbox audit configurations to add the MailItemsAccessed event for existing mailboxes. We also don’t know if Microsoft will enable new mailboxes for the event in the same way that they enable the event automatically for mailboxes licensed for Purview Audit Premium. A arguable case exists that managing mailbox audit configurations is an operation best left to tenants, especially if tenants use non-standard mailbox auditing configurations.

My advice is to take control of the situation and:

  • Check that mailbox auditing is enabled for all mailboxes. This note in Microsoft documentation implies that mailboxes with Purview Audit Standard still need to enable auditing to force flow of mailbox audit events from Exchange Online to the unified audit log. This was certainly the case, but a quick test with a new mailbox created today saw mailbox events appear in the unified audit log. In any case, it’s best to be sure.
  • Include the MailItemsAccessed event in the audit configuration for all mailboxes. Some years ago, I wrote a script to make sure that auditing was enabled for all mailboxes. It is easy to adapt the script to update mailbox audit configuration with the MailItemsAccessed event.
  • Consider a more automated approach to maintain mailbox audit configurations. Using a scheduled PowerShell runbook managed by Azure Automation is a mechanism well suited to this kind of task. If the runbook operated on a weekly basis, the user accounts created during the last week can be found with code like this:

$LastWeek = (Get-Date).AddDays(-7)
$T = Get-Date $LastWeek -format "yyyy-MM-ddThh:mm:ssZ"
[array]$Users = Get-MgUser -Filter "createdDateTime ge $T" -Property Id, UserPrincipalName, CreatedDateTime, DisplayName

The MailItemsAccessed Event Really is High-Value

No one likes being caught on the back foot when things go wrong. But if problems occur, it’s good to have as much data as possible. The MailItemsAccessed event increases the amount of information available about what attackers might have done inside Exchange Online mailboxes. That’s one good reason to make sure to capture the events and know how to use them during forensic investigations.

Create a task for yourself to check mailbox audit configurations at the end of September 2023 and make sure that the MailItemsAccessed event is captured. You know it makes sense.

Learn about using Exchange Online and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.

7 Replies to “Enable the MailItemsAccessed Event for Exchange Online Mailboxes”

  1. Hi, this command can only run through powershell? Can i check that in compliance cneter when it GA in my tenant?

    Reply

    1. As I noted in the article, I set up a new E3 mailbox and events appear to flow correctly, so it looks as if Microsoft sorted that issue… But stay vigilant and make sure that audit events flow as you want them to…

      Reply

  3. Everyone – Remember to consider any downstream systems that are consuming the audit logs via the OfficeActivity feed. SIEM products often charge for the amount of events ingested and enabling MailAccessed may cause a jump in events and an unexpected bill

    Reply

    1. Absolutely true. The MailItemsAccessed event is probably the most prolific event. Expect to generate 30-40 events per user per working day. I can’t offer muchguidance for the other events.

      Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.