Recent details released about the Storm-0558 attack on sensitive U.S. agencies revealed the importance of the MailItemsAccessed event for forensic investigations. Luckily, after Microsoft was a tad embarrassed by the recent Storm-0558 attack, tenants with Office 365 E3 or Microsoft 365 E3 licenses can capture the MailItemsAccessed event for mailboxes without having to pay for Microsoft Purview Audit Premium. But you might have to do a little work to ensure that the right audit configuration is used for all mailboxes.
Microsoft has released information about high-value Office 365 audit events and audit event retention policies. Both are part of a Microsoft 365 Advanced Audit offering. The MailItemsAccessed event is the first high-value audit event (we can expect more) and the retention policies are used to purge unneeded events from the Office 365 audit log.
Microsoft launched the MailItemsAccessed audit event (to capture when email is opened) in January, reversed the roll-out in April, and now might restart sometime in Q3. It’s an odd situation that isn’t really explained by a statement from Microsoft. Are they going to charge extra for this audit event? Will they be analyzing the events? Or does Office 365 capture too many mail items accessed events daily?
Announced in January, paused in March – that’s the fate of the MailItemsAccessed audit record generated by Exchange Online for the Office 365 audit log. Microsoft found some problems that they are fixing, which is good (because you want audit data to be reliable). And when the fixes are available, the deployment of the new audit record will restart.
