Insider Threat: Malicious admin reading your emails!

Email privacy is a very sensitive subject. Permissions to inboxes are heavily managed and it’s a very bad idea to give yourself as an IT Admin permissions to a mailbox of an end-user. There are multiple options to get access to the content of a mailbox, but some are more stealthy than others.

In this blog post, I zoom in the most stealthy way (according to me) to view the content of a mailbox.

The tools

There are a couple of tools that you can use within Microsoft 365 to see gather to the content of mailbox or hunt for a specific email. eDiscovery will allow to fetch the complete content of an end user his mailbox. eDiscovery will most likely be your go to tool when you have legal use case.

A content search is also a possible way to take a quick peek inside somebody his mailbox as it more aimed to explore content within your tenant.

But using these features can be heavily regulated. The permissions needed to perform an eDiscovery are regulated and even available via PIM. (eDiscovery Manage & eDiscovery Administrator). So not every admin within your organization can use this tool.

Creating an eDiscovery/content search will also invoke an MDO alert named: eDiscovery search started or exported. Which is from an insider threat perspective not ideal.

Threat explorer is the ultimate tool

The Microsoft Threat explorer is, according to me, one of the most powerful tools available on I use it daily to investigate all kinds of emails that are brought to my attention by end-users or Microsoft Defender for Office detections.

Screenshot of the Threat Explorer

But it is also one of the most silent ways to look into somebody his mailbox. Using simple search result you can list the inbox of a specific user. But wait… there is more.

The Threat explorer also has a feature that allows you to preview and download single emails. You can even assign this permission directly in the purview portal, so you don’t need to PIM to activate it. And let’s be honest, how often do you review permissions given within the Purview portal?

Can we detect preview usage?

Microsoft doesn’t provide alerting or clear reporting on preview actions via the explorer. But they do provide logs and that’s all we need. With the following KQL, you can monitor who accesses which email.
I have filtered out the actor, affected mailbox, sender, recipient & subject.

Tip: keep track of my Github page as this will contain the most up to date version

| where ActionType == "AdminMailAccess"
| extend data = RawEventData["ExtendedProperties"]
| extend OpenedMailbox = data[1].["Value"]
| extend OpenedEmail = url_decode(tostring(data[2].["Value"]))
| project AccountDisplayName, ActionType, OpenedMailbox, OpenedEmail
| join EmailEvents on $left.OpenedEmail == $right.InternetMessageId
| project Timestamp , Actor = AccountDisplayName, ActionType, OpenedMailbox, SenderFromAddress, RecipientEmailAddress, Subject
| order by Timestamp desc

Leave a Reply

Your email address will not be published. Required fields are marked *