Email Collection

A subject creates an email collection file such as a Personal Storage Table (PST) file or an MBOX file to copy an entire mailbox or subset of a mailbox containing sensitive information.

The subject creates an email forwarding rule to transport any incoming emails from one mailbox to another.

A subject retrieves email files from the local disk of an endpoint they have access to. When using an email client application (such as Outlook) typically an offline copy of the emails received by the client are stored locally on disk, providing an opportunity for a subject to retrieve them without interacting with an email server.

A subject retrieves email files from a remote email server. The subject might use their own or other obtained credentials to access an email mailbox and subsequently copy emails and/or data contained within emails. Remote email collection can be conducted against on-premises email servers, webmail, and cloud-based email services.

The following detection is a default alert policy that should be enabled in all tenants automatically.

To view this alert policy, access the Microsoft Defender portal at https://security.microsoft.com, go to Email & collaboration > Policies & rules > Alert policy. Or, to go directly to the Alert policy page, use https://security.microsoft.com/alertpoliciesv2.

This rule will generate an alert when a forwarding/redirect rule is created within Exchange or OWA.

This detection monitors the granting of mailbox read permissions, an operation that enables a user account to access another user's or shared mailbox. By alerting on this permission change in Microsoft Defender, investigators gain early visibility into potential misuse of mailbox data and can trace both the granting account and the recipient of the access.

In the Microsoft Defender portal at https://security.microsoft.com, navigate to Email & collaboration > Policies & rules > Alert policy. To go directly to the Alert policy page, use https://security.microsoft.com/alertpoliciesv2.

Click |+ New Alert Policy" in the top-left corner. Assign a clear name to the alert policy and select an appropriate Severity and Category. On the next page, under “Activity is”, search for and select Granted mailbox permission. Configure the remaining settings as required. If the intention is only to alert on these events generated by specific accounts, this can be achieved by adding a condition with either User: User is or User: User tags are.

When reviewing an alert generated by this rule, select an activity row in the Activity list table to display related information. A panel will open on the right-hand side of the alert page, under “Activity details”, showing the Item (target mailbox friendly name), User (email address of the account that made the change), IP address, and timestamp. To identify the account that was granted read access to the mailbox, review the Parameters JSON output and retrieve the “Value” (object ID) located next to "User": "Name". This ID can then be searched in the “All users” section of Entra ID to identify the target user account.