{
	"id": "ac0a5cdb-1a69-4390-a584-f46382519c8e",
	"created_at": "2026-04-06T00:07:34.888031Z",
	"updated_at": "2026-04-10T03:20:23.937616Z",
	"deleted_at": null,
	"sha1_hash": "6d9fc7547b3a72889bbde580ee071d98fb736eca",
	"title": "Hiding in Plain Sight: Using the Office 365 Activities API to Investigate Business Email Compromises",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 215195,
	"plain_text": "Hiding in Plain Sight: Using the Office 365 Activities API to\r\nInvestigate Business Email Compromises\r\nBy CrowdStrike Services Group\r\nArchived: 2026-04-05 21:58:46 UTC\r\nUpdate: While this blog post originally covered the Office 365 Activities API, that functionality has been disabled\r\nby Microsoft as of Friday, June 6, 2018. However, there are still data sources available within O365 to help\r\ninvestigate business email compromises (BECs). Please stay tuned for an updated blog post to address alternate\r\nmethods for detecting and responding to BECs.\r\nIntroduction\r\nBusiness email compromises (BECs) are a big problem across a multitude of industries. Just last week, the FBI\r\nparticipated in an international BEC takedown, arresting 74 individuals across the United States, Nigeria, Canada,\r\nMauritius and Poland. In 2016, the Internet Crime Complaint Center (IC3) named BEC \"the $3.1 Billion Scam\",\r\nwith some predicting losses to exceed $9 Billion in 2018. In May 2018, the Ghanaian Police Intelligence Unit\r\narrested 42\r\nNigerians and two Ghanaians for committing \"cyber fraud and robbery\" related to BEC activity. Of course, the\r\nvast majority of BEC incidents do not end in arrests and convictions. In fact, the barriers to prosecution account in\r\nlarge part for the rampant growth of BEC crimes. In the course of the CrowdStrike® Services team's investigative\r\nwork responding to BEC cases, we recently discovered a capability within Office 365 that allows for the retrieval\r\nof Outlook mailbox activity logs that far exceeds the granularity provided by existing, documented Office 365 log\r\nsources, such as the Unified Audit Log. This capability represents access to an always-on, mailbox activity\r\nrecording system that is active by default for all users. This blog details CrowdStrike's knowledge of and\r\nexperience with this remarkable Office 365 logging capability. This capability consists of a web API that uses\r\nExchange Web Services (EWS) to retrieve Office 365 Outlook mailbox activities. The API can be accessed by\r\nanyone with knowledge of the API endpoint and a specific HTTP header. Activities are recorded for all users and\r\nare retained for up to six months. There are many activity types, including logins, messages deliveries, message\r\nreads, and mailbox searches. It is possible to acquire mailbox activities for specific time ranges and activity types.\r\nThere are also some drawbacks to the API, such as the apparent inability to directly link activities to client\r\nsessions. Despite this, the API still provides enough detail to allow for the rapid identification of attacker activity,\r\nunder most circumstances. (NOTE: In conjunction with this article, CrowdStrike is releasing a Python module that\r\nwraps the basic functionality of the Activities API. See the Python Module section below for full details.) Threat\r\nactors, such as Nigerian confraternities, often adhere to standardized playbooks when engaging in business email\r\nintrusions. The initial avenues of entry often consist of phishing emails that contain links to web-based credential\r\nstealers appearing to victims as legitimate Office 365 login forms, but occasionally leveraging keyloggers to\r\ncapture credentials. These threat actors use the stolen credentials to log into the victims' mailboxes and begin\r\ncollecting intelligence by issuing search queries and reading emails. The threat actors typically identify key\r\nhttps://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/\r\nPage 1 of 11\n\nexecutives and employees involved in financial transactions such as wire transfers, and monitor their activity for\r\nperiods ranging from weeks to months. Once the threat actors feel comfortable, they insert themselves into email\r\nconversations to conduct fraud. They often start by initiating wire transfer requests starting with smaller dollar\r\namounts and working their way up. CrowdStrike has observed unauthorized wire transfer attempts ranging from\r\nthousands of dollars to as high as nearly fifteen million dollars. We've also seen these threat actors use the same\r\naccess to conduct other forms of BEC fraud, such as redirecting payroll, emptying 401k accounts, and clearing out\r\nmedical savings accounts.\r\nAs you will see, the techniques, tactics, and procedures (TTPs) employed by these threat actors can be discovered\r\nby analyzing the data returned from this powerful Office 365 API.\r\nAccessing the API\r\nWithin the Outlook REST API, there is an undocumented API subset known as Activities. This API subset is\r\nincluded in all three versions (v1.0, v2.0, and beta) of the Outlook REST API. This article focuses primarily on the\r\nv2.0 implementation. As with other subsets, calls to the Activities API must be authenticated using a supported\r\nmethod — OAuth 2.0 or Basic Authentication. (Note that Microsoft will no longer support Basic Authentication in\r\nthe Outlook REST API beginning on November 1, 2018.) If you intend to authenticate with OAuth 2.0, you can\r\naccess the Activities API using any version of the Outlook REST API. All of the examples in this article use\r\nOutlook REST API v2.0 at the following endpoint:\r\nhttps://outlook.office.com/api/v2.0/{user_context}/Activities If you intend to authenticate with Basic\r\nAuthentication, you can access the API using Outlook REST API v1.0 at the following endpoint:\r\nhttps://outlook.office365.com/api/v1.0/{user_context}/Activities All requests to the Activities API are\r\nissued via the HTTP GET method and must include the following HTTP header. Requests sent without this header\r\nwill result in an HTTP 400 Bad Request response.\r\nPrefer: exchange.behavior=\"ActivityAccess\"\r\nAll requests to the Activities API must include an Authorization header. Requests that do not include a valid\r\ncredential will result in an HTTP 403 Unauthorized response. In the case of OAuth 2.0, use the Bearer scheme.\r\nAuthorization: Bearer \u003caccess token\u003e\r\nFor testing purposes, you can generate an OAuth 2.0 access token at the Outlook Dev Center – OAuth Sandbox.\r\nAuthorize the application using a valid Office 365 credential and then proceed to acquire tokens. You may use the\r\nacquired Access Token with the examples below. (Keep in mind that this token will expire after 60 minutes.) Note\r\nthat the minimum required scope for Activities API operations is https://outlook.office.com/Mail.Read . If\r\nyou will be using Basic Authentication, supply a base64-encoded username and password in accordance with the\r\nBasic scheme.\r\nAuthorization: Basic \u003cencoded username:password\u003e\r\nNote that with Basic Authentication, if the calling user has multifactor authentication enabled, it will be necessary\r\nto generate and supply an app password in place of the account password. It is advisable to include an Accept\r\nhttps://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/\r\nPage 2 of 11\n\nheader with a MIME type of application/json and the odata.metadata format parameter. All of the examples\r\ndiscussed in this article use the following header:\r\nAccept: application/json; odata.metadata=none\r\nFinally, it should be noted that the Activities API is subject to the same throttling limits imposed on all other\r\nsubsets within the Outlook REST API. At the time of this writing, that limitation consists of a 10,000 request\r\nallowance per 10-minute window, per target user, per application. Requests issued in excess of this limitation will\r\nresult in an HTTP 429 Too Many Requests response. (NOTE: The headers of these responses can be parsed to\r\nretrieve additional information about the throttling state.)\r\nRetrieving Activities\r\nThe simplest call to the Activities API includes no parameters and uses the \"me\" user context shortcut. The\r\nfollowing request will return a response containing the latest 10 mailbox activities of the calling user.\r\nGET https://outlook.office.com/api/v2.0/me/Activities\r\nThis request can be issued using curl as seen here for v2.0 of the API with OAuth:\r\ncurl -H 'Prefer: exchange.behavior=\"ActivityAccess\" ' -H 'Authorization: Bearer \u003caccess token\u003e' -H 'Accept:\r\napplication/json; odata.metadata=none' https://outlook.office.com/api/v2.0/me/Activities\r\nAnd in v1.0 with Basic Authentication as seen here:\r\ncurl -H 'Prefer: exchange.behavior=\"ActivityAccess\"' -H 'Accept: application/json; odata.metadata=none' -u\r\n\u003cusername\u003e https://outlook.office365.com/api/v1.0/me/Activities\r\nIt's also possible to issue this request by using the \"Edit Query\" feature in the Outlook Dev Center - OAuth\r\nSandbox. Make sure to supply the appropriate headers if you use this method. Below is a sample JSON response\r\nfrom the API (not all properties are displayed here):\r\n{ \"value\": \u003c { \"Id\":\"WOGVSAiPKrfJ4apAPcBksT2en7whzDz4NIbUs3==\", \"ActivityCreationTime\":\"2010-04-\r\n01T12:34:56.789Z\", \"ActivityIdType\":\"ReadingPaneDisplayStart\", \"AppIdType\":\"Outlook\",\r\n\"ClientVersion\":\"15.00.0000.000\", \"ClientSessionId\":\"679126f3-02de-3513-e336-0eac1294b120\",\r\n\"ActivityItemId\":\"NjKG5m6OmaCjGKq6WlbjIzvp94czUDg30qGopD==\", \"TimeStamp\":\"2010-04-\r\n01T12:34:56.789Z\", \"TenantId\":\"679126f3-02de-3513-e336-0eac1294b120\", } \u003e }\r\nGiven the role that this API can play in incident response, organizations will typically want to retrieve activities\r\nfor mailboxes not owned by the calling user. Fortunately, the Activities API supports that capability by allowing\r\ntarget users to be specified. To retrieve mailbox activities for another user, modify the user context as follows:\r\nGET https://outlook.office.com/api/v2.0/Users('victim@contoso.com')/Activities\r\nThe necessary permission to retrieve mailbox activities for other users can be obtained in one of two ways: the\r\nShared Mailbox or Application Permission method. Shared Mailbox Method With this method, the app\r\nperforming the query should be configured to request the Mail.Read.Shared delegated user permission. (This is\r\nhttps://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/\r\nPage 3 of 11\n\nnot necessary if Basic Authentication is being used.) In addition, the calling user should be granted FullAccess\r\npermission to the target mailbox. This permission can be applied in the Office 365 Admin center by assigning the\r\n\"Read and manage\" permission for the desired user or by connecting to Exchange Online and running the\r\nfollowing PowerShell cmdlet.\r\nAdd-MailboxPermission -Identity victim@contoso.com -User analyst@contoso.com -AccessRights FullAccess -\r\nInheritanceType All -AutoMapping:$false\r\nThis method will work with access tokens obtained by the OAuth Sandbox because the sandbox app includes\r\nMail.ReadWrite.Shared in its list of requested scopes. This scope is a superset of the minimum scope required to\r\nread shared mailboxes. NOTE: Permission assignments are not reflected in real time. It can take minutes, or\r\nsometimes hours, for permission changes to take effect. When valid credentials are supplied, but without sufficient\r\npermission to the target mailbox, the API may return an HTTP 404 Not Found response with the error, \"The\r\nspecified object was not found in the store. Default folder ActivityLogs not found.\" If this error is returned after\r\ncorrectly granting FullAccess permission, you may need to allow additional time for the permission changes to\r\npropagate. Application Permission Method With this method, the app performing the query should be\r\nconfigured to request the Mail.Read application permission. If a Global Admin were to provide consent for this\r\nrequest, then activities for all users in the tenant could be retrieved without having to modify mailbox permissions.\r\nNote that the OAuth Sandbox cannot be used in conjunction with this method. Employing this method involves\r\ndeveloping a web app, implementing a supported OAuth flow, and requesting admin consent from a tenant\r\nadministrator.\r\nRequest Parameters\r\nThe following request parameters are supported by the Activities API:\r\nParameter Description\r\n$orderby Orders the results by the specified expression\r\n$filter Filters the results by timestamp and/or activity type\r\n$select Selects a list of properties to return\r\ntop Specifies the maximum number of activities to return\r\n$skip Specifies the number of activities to skip in the returned results\r\nTable 1: Request Parameters\r\nThe order in which the API returns results is not always guaranteed. Results are normally sorted by TimeStamp in\r\ndescending order, however certain $filter expressions can alter that behavior. To guarantee the order in which\r\nresults are returned, use the $orderby parameter to specify a property name and sort order. For example, to\r\nreturn results in TimeStamp ascending order (oldest results first), issue the following query:\r\nGET https://outlook.office.com/api/v2.0/Users('victim@contoso.com')/Activities?$orderby=TimeStamp+asc\r\nhttps://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/\r\nPage 4 of 11\n\n(NOTE: There are restrictions on how the $orderby and $filter parameters can be used together.) The\r\n$filter parameter allows for an expression to be supplied that restricts results to a range of timestamps and/or a\r\nlist of activity types. For example, to request activities that occurred in January of 2018, issue the following query:\r\nGET https://outlook.office.com/api/v2.0/Users('victim@contoso.com')/Activities?$filter=(TimeStamp ge 2018-01-\r\n01T00:00:00Z and TimeStamp le 2018-01-31T23:59:59Z)\r\nTimestamps are specified in ISO 8601 format (2018-01-01T00:00:00Z) . By default, the API will return all\r\nproperties (in the default property set) for each activity type. The $select parameter can be used to specify a subset\r\nof properties to return instead. For example, to only return the TimeStamp and ActivityIdType properties for\r\neach activity, issue the following query:\r\nGET https://outlook.office.com/api/v2.0/Users('victim@contoso.com')/Activities?\r\n$select=TimeStamp,ActivityIdType\r\nIf a $top value is not specified, the API will return a maximum of 10 activities. To change the default behavior,\r\nspecify a $top value in the range of 1 to 1000. (The Activities API will not return more than 1000 results per\r\nrequest.) For example, to retrieve the last 500 activities that occurred in a mailbox, issue the following query:\r\nGET https://outlook.office.com/api/v2.0/Users('victim@contoso.com')/Activities?$top=500\r\nThe API also supports pagination. In cases where a particular query generates a result count that exceeds the\r\nlength specified by the $top value, multiple requests will need to be issued in order to retrieve the entire set.\r\nWhen constructing successive requests, it is necessary to skip the number of activities already retrieved in\r\nprevious requests. This is accomplished by setting the value of the $skip parameter, as demonstrated in the\r\nsecond and third requests below. First request\r\nGET https://outlook.office.com/api/v2.0/Users('victim@contoso.com')/Activities?$top=1000\r\nSecond request\r\nGET https://outlook.office.com/api/v2.0/Users('victim@contoso.com')/Activities?$top=1000\u0026$skip=1000\r\nThird request\r\nGET https://outlook.office.com/api/v2.0/Users('victim@contoso.com')/Activities?$top=1000\u0026$skip=2000\r\nStandard Properties\r\nThere are a number of standard properties that are present in all activities. The most commonly used ones are\r\ndocumented here.\r\nProperty Name Description\r\nActivityCreationTime The time that the activity was created\r\nActivityIdType The type of activity (described in detail below)\r\nhttps://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/\r\nPage 5 of 11\n\nActivityItemId\r\nThe EWS ID of the activity object (can be used to query Mail API for additional\r\nmessage properties, including message body)\r\nAppIdType The client type (described in detail below)\r\nClientSessionId\r\nA client-generated session identifier (has limited use in identifying actual user\r\nsessions)\r\nTimeStamp The time that the activity occurred\r\nTable 2: Required Properties\r\nAlthough other object identifiers (such as Id and ActivityObjectId ) are included in most activities, the\r\nActivityItemId property is the expected identifier when querying other subsets, such as the Outlook Mail API.\r\nFor this reason, ActivityItemId is used as the preferred message identifier in this article. The\r\nClientSessionId property has limited use in identifying actual user sessions. Although each login activity has an\r\nassociated ClientSessionId , not all subsequent mailbox activity will be associated with that same identifier.\r\nThere are normally many different client session identifiers per actual user session. This property is most likely a\r\nclient-generated UUID that is designed to be used for request-response correlation. It may be of interest to note\r\nthat as new requests are issued within each session, the SequenceNumber property is incremented.\r\nCustom Properties\r\nMost activity types include custom properties. Each custom property is represented as a single JSON object within\r\na CustomProperties array.\r\nThese objects consist of properties that are unique to each activity type, such as the ClientIP property for\r\nServerLogin activities and the TargetFolder property for Move activities. Most of the interesting metadata for\r\neach activity is contained within this array. Some of the more useful custom properties are discussed in detail in\r\nthe Activity Types section below.\r\nActivity Types\r\nActivities are classified by the ActivityIdType property. CrowdStrike has identified at least 30 different activity\r\ntypes, ranging from message operations to login events to calendar updates. An exhaustive list and description of\r\nall of these activity types is outside the scope of this article, but some of the more useful ones are documented\r\nbelow.\r\nActivity Type Description\r\nDelete A message was deleted (by a user or by Exchange)\r\nForward A message was forwarded\r\nLinkClicked A link in a message was clicked (does not apply to all application types)\r\nhttps://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/\r\nPage 6 of 11\n\nMarkAsRead A message was marked as read\r\nMarkAsUnread A message was marked as unread\r\nMessageDelivered A message was delivered to the mailbox\r\nMessageSent A message was sent from the mailbox\r\nMove A message was moved (by a user or by Exchange)\r\nOpenedAnAttachment An attachment was opened (does not apply to all application types)\r\nReadingPaneDisplayEnd A message was deselected in the reading pane\r\nReadingPaneDisplayStart A message was selected in the reading pane (a message was viewed)\r\nReply A message was replied to (also ReplyAll)\r\nSearchResult Search results were generated\r\nServerLogon A logon event occurred (may also be accompanied by a Logon activity)\r\nTable 3: Activity Types\r\nIt is important to note that many activity types do not contain a substantial amount of message metadata. They do,\r\nhowever, include the ActivityItemId field, which can be used in multiple ways to retrieve all of the message\r\nmetadata for an activity. One way to retrieve the relevant metadata is to query the Mail API for it. This will also\r\nallow you to retrieve the body of the message, if necessary. The following query uses Mail API to retrieve the\r\nWebLink , BodyPreview , and Subject properties for the message identified by ActivityItemId . (NOTE: If\r\nyou use the beta endpoint, it's also possible to request the InternetMessageHeaders property, which can be useful\r\nin incident response.)\r\nGET https://outlook.office.com/api/v2.0/Users('victim@contoso.com')/messages/\u003c ActivityItemId\u003e?\r\n$select=WebLink,BodyPreview,Subject\r\nAnother way to retrieve the metadata for the object is to search for it in corresponding MessageDelivered\r\nactivities. MessageDelivered activities (and to a lesser extent, MessageSent activities) preserve important\r\nproperties such as sender, recipient and subject. Activities can be linked together using the ActivityItemId\r\nproperty. In this way, it is possible to retrieve message metadata for many activities without issuing additional\r\nHTTP requests. For example, MarkAsRead activities do not include properties for the recipients or the subject of\r\nthe message that was marked as read. However, you may already have the associated MessageDelivered activity\r\nfor that message (stored in memory or on disk). Search for it by the ActivityItemId property of the\r\nMarkAsRead activity. If it exists, values for important fields (such as Recipients and Subject ) can be reliably\r\nimported. Certain activity types are only generated when they are initiated by a supported application type. As an\r\nexample, LinkClicked and OpenedAnAttachment activities are only recorded when those actions are performed\r\nusing Outlook on the web (the Web application type).\r\nhttps://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/\r\nPage 7 of 11\n\nInteresting Activity Types\r\nThese activities can provide significant value to analysts hunting for attacker activity in Outlook mailboxes.\r\nAccordingly, they are discussed in greater detail below. MessageDelivered — This activity indicates that a\r\nmessage was delivered to the mailbox. This activity type is important because it can be used to identify phishing\r\nemails and because it contains message metadata that can be used to enrich related activities. The AppIdType for\r\nthis activity is always Exchange . Some of the most useful custom properties for this activity type are as follows:\r\nSenderSmtpAddress — The SMTP address of the sender of the message\r\nFrom — The originator of the message\r\nRecipients — The recipients of the message (limited to 128 entries)\r\nSubject — The subject of the message\r\nSentTime — The time the message was sent\r\nInternetMessageId — The Internet Message ID of the message\r\nItemClass — The class of the message\r\nAttachmentDetail — A list of the types of attachments in the message\r\nReadingPaneDisplayStart — This indicates that a message was selected in the reading pane, making it viewable.\r\nThis activity type may or may not contain a CustomProperties array, depending on which application type initiated\r\nthe action. In all cases, however, there is a limited amount of metadata included in the activity, so the message\r\nbeing referenced must be looked up using one of the methods described in the Activity Types section above. A\r\nReadingPaneDisplayEnd activity occurs when a message is deselected. SearchResult – These activities contain\r\nsearch queries that were performed within a mailbox. Each of these activities contains a CustomProperties array\r\nwhich contains a Query XML object. To retrieve the search query, parse this XML object for /Query/RawQuery .\r\nSee the following example Query value:\r\n\u003cQuery\u003e\u003cRawQuery\u003epayment\u003c/RawQuery\u003e\u003cRankingQuery\u003eany \u003c/RankingQuery\u003e\u003cAll\u003e\r\n\u003cToken\u003epayment\u003c/Token\u003e\u003c/All\u003e\u003c/Query\u003e\r\nServerLogon – This activity type indicates that an Office 365 Outlook mailbox login event occurred. It contains\r\nmany useful properties within the CustomProperties array.\r\nSome of these are as follows:\r\nClientIP — This is the source IP address for the login activity. If this field contains multiple comma-separated values, it indicates that an X-Forwarded-For header was included with the login submission.\r\nUserName — This is the username for the login activity.\r\nResult — This is the result of the login attempt (whether it was successful or not).\r\nExceptionInfo — In the event of a login failure, exception info may be populated.\r\nUserAgent — This is the client's reported user agent.\r\nApplication Types\r\nEach activity has an associated application type which is stored in the AppIdType property. This property indicates\r\nthe type of application that initiated the activity. The most common application types are documented below.\r\nhttps://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/\r\nPage 8 of 11\n\nApplication Type Description\r\nExchange Exchange Online\r\nIMAP4 IMAP4 client\r\nLync Lync / Skype for Business\r\nMacMail MacOS Mail\r\nMacOutlook MacOS Outlook\r\nMobile Mobile browser\r\nOutlook Windows Outlook\r\nPOP3 POP3 client\r\nWeb Outlook on the web\r\nTable 4: Application Types\r\nIt's important to note that some application types automatically begin synchronizing mailbox contents on first\r\nlogin. This should be taken into consideration when performing analysis because it means that the contents of a\r\nmailbox could have been exfiltrated, even without any \"message read\" activities being returned by the API.\r\nCrowdStrike has observed this most frequently occurring with IMAP4. At this time, there is no protocol logging\r\navailable in Office 365 for IMAP4 or other comparable application types to determine exactly which messages\r\nwere synchronized by a client.\r\nPython Module\r\nIn conjunction with this article, CrowdStrike is releasing a Python module that wraps the basic functionality of the\r\nActivities API. It is accompanied by a command-line tool that can be used to retrieve activities for a user and write\r\nthem to a CSV file. The tool requires a valid OAuth 2.0 access token, which for testing purposes can be obtained\r\nfrom the Outlook Dev Center – OAuth Sandbox. (To obtain access tokens for use with production software, you\r\nshould implement a supported OAuth flow and register your application with Microsoft. For more details, see v2.0\r\nProtocols - OAuth 2.0 \u0026 OpenID Connect.) Using the command-line tool This tool will continuously fetch and\r\nwrite activities to a CSV file until all activities matching the specified criteria have been retrieved. The access\r\ntoken can be supplied by setting an OAUTH_TOKEN environment variable (preferred method) or by including it\r\nas a command-line argument. Usage is as follows:\r\nusage: retriever.py --user \u003cusername\u003e --output \u003cfilename\u003e \u003c--token \u003ctoken\u003e\u003e \u003c--start \u003ctimestamp\u003e\u003e \u003c--end\r\n\u003ctimestamp\u003e\u003e \u003c--types \u003ctype\u003e \u003c\u003ctype\u003e ...\u003e\u003e --user \u003cusername\u003e\r\nTarget user (user principal name) --output \u003cfilename\u003e\r\nCSV output filename --token \u003ctoken\u003e\r\nhttps://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/\r\nPage 9 of 11\n\nOAuth access token --start \u003ctimestamp\u003e\r\nStart timestamp (ISO 8601) --end \u003ctimestamp\u003e\r\nEnd timestamp (ISO 8601) --types \u003ctype\u003e \u003c\u003ctype\u003e ...\u003e\r\nSpace-delimited list of activity types\r\nExample 1: Retrieve MessageDelivered activities that occurred after January 1:\r\npython retriever.py --user victim@contoso.com --output activities.csv --types MessageDelivered --start 2018-01-\r\n01T00:00:00Z\r\nExample 2: Retrieve ServerLogon and SearchResult activities that occurred in the month of May:\r\npython retriever.py --user victim@contoso.com --output activities.csv --types ServerLogon SearchResult --start\r\n2018-05-01T00:00:00Z --end 2018-05-31T23:59:59Z\r\nExample 3: Retrieve the entire history of activities for a user. (NOTE: This may take a long time.)\r\npython retriever.py --user victim@contoso.com --output activities.csv\r\nNOTE: Ensure you've acquired the necessary permission to retrieve activities for other users by employing one of\r\nthe methods described in the Retrieving Activities section above.\r\nTechniques for Finding Attacker Activity\r\nBEC threat actors rarely alter their TTPs and frequently reuse the same infrastructure across phishing campaigns.\r\nThese characteristics, combined with the right analytical techniques, can allow incident responders to swiftly\r\nidentify such intruders in their environments. Some of the techniques used by the CrowdStrike Services team are\r\ndiscussed below. IP Geolocation One of the simplest and most effective methods for distilling attacker activity\r\nfrom legitimate mailbox owner operations is performing geographic logon analysis. Logons from geographies that\r\nare not consistent with the mailbox owner's residence or travel patterns should be considered as immediate\r\ncandidates for further inspection. Numerous free sources of IP geolocation data exist, all of which can be used to\r\nprogrammatically translate source IP addresses of logon activities to specific geographic locations.\r\nhttps://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/\r\nPage 10 of 11\n\nFigure 1: IP Geolocation\r\nSearch Queries Search query analysis is particularly useful in BEC cases involving wire fraud (such as those\r\ncommonly perpetrated by Nigerian confraternities) because mailbox searching is one of the most frequently\r\nemployed techniques of these types of attackers. Upon gaining access to an Office 365 Outlook mailbox, these\r\nthreat actors typically begin issuing queries for terms such as \"wire transfer,\" \"invoice\" and \"payment\" in order to\r\ngather the necessary information to target specific people and processes. Analyzing SearchResult activities for\r\nsuspicious search terms is one of the most efficient methods for isolating attacker activity. Anomalous Client\r\nTypes Anomalous application types are frequent indicators of suspicious activity. Attacker activity can often be\r\ndiscovered by stacking application types to identify the instances that appear least over an extended period of\r\ntime. For example, if a given user usually logs into his or her Office 365 Outlook mailbox via the Outlook client,\r\nactivities performed via Web or IMAP4 constitute potential indicators of attacker activity. Identifying these types\r\nof outliers in mailbox activity history is essential to conducting successful BEC investigations.\r\nDKIM/DMARC/SPF Failures The Office 365 Outlook Mail API can be called upon to retrieve message headers\r\nand bodies. By enriching activities with these additional properties, it is possible to search for other indications of\r\nmalicious activity, most notably those involving DKIM, DMARC, and SPF failures. Messages that fail one or\r\nmore of these checks may be associated with malicious activity, such as spoofed sender addresses or the use of\r\nunauthorized Mail Transfer Agents (MTAs). Malicious Attachment Types The properties of received messages\r\nare stored in MessageDelivered activities. Many of these properties can be used to identify suspicious emails.\r\nAmong these is the AttachmentDetail property, which contains a list of attachment types and methods. By\r\nscanning this field for malware-related attachment types (such as HTA, EXE, and PDF), suspicious emails can be\r\nrapidly discovered and then analyzed for additional indicators.\r\nConclusion\r\nThe Office 365 Outlook Activities API provides a straightforward interface to a powerful mailbox logging\r\nsubsystem that is vastly superior to existing Office 365 auditing capabilities. While the full potential of the API is\r\nunknown at this time, CrowdStrike has documented many of the features that can be used to derive maximum\r\noperational value from the API. Organizations and individuals alike can utilize this knowledge to respond to\r\nincidents, hunt for attackers, or simply to gain a better understanding of Office 365 Outlook mailbox operations.\r\nIn CrowdStrike investigations of BEC cases, it is not unusual for the threat actor to have gained access or\r\ncompromised the customer's environment outside of the Office 365 footprint. In such cases, CrowdStrike\r\nrecommends a comprehensive Compromise Assessment / Threat Hunting engagement to determine the extent of\r\nthe compromise and to ensure the threat actor can be adequately eradicated from the client's infrastructure.\r\nFor more information on CrowdStrike's Incident Response, Compromise Assessment or Threat Hunting offerings,\r\nvisit the CrowdStrike Services page or please reach out to us at: Services@crowdstrike.com\r\nSource: https://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromise\r\ns/\r\nhttps://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/"
	],
	"report_names": [
		"hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises"
	],
	"threat_actors": [],
	"ts_created_at": 1775434054,
	"ts_updated_at": 1775791223,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6d9fc7547b3a72889bbde580ee071d98fb736eca.pdf",
		"text": "https://archive.orkl.eu/6d9fc7547b3a72889bbde580ee071d98fb736eca.txt",
		"img": "https://archive.orkl.eu/6d9fc7547b3a72889bbde580ee071d98fb736eca.jpg"
	}
}