• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > Forensics > Office 365—Magic Logs Uncovered

Office 365—Magic Logs Uncovered

June 15, 2020 By Isaac Barker (RSM) & Kevin Yoegel (Lewis Brisbois Bisgaard & Smith LLP)

The Dark Ages

According to the FBI’s 2019 IC3 report, the IC3 unit received 23,775 business email compromise (BEC) complaints with losses of over $1.7 billion (FBI IC3 Report[1]). We have found that, first and foremost, threat actors are trying to leverage compromised email accounts to perpetrate financial fraud. Though perhaps unintentional, a fraudster will likely access other content in the compromised account while searching for information needed to perpetuate the fraudulent transaction, which could lead to the potential exposure of sensitive or protected information, such as personal health information (PHI), personally identifiable information (PII) or payment card information (PCI). Beyond financial transactions, threat actors target specific types of information, such as employee Form W-2 Wage and Tax Statements from HR personnel. An employee’s Form W-2 information can be used to e-file fraudulent tax returns for the purpose of stealing refunds.

If threat actors access protected or sensitive information during an attack, data review may have to be undertaken. Data review is typically a two-step process conducted under the direction of cyber counsel to develop appropriate review parameters and protocols. First, a compromised account is data mined using advanced automated processing with keyword and pattern searches to identify responsive items potentially containing protected or sensitive information. Second, that subset of items is manually reviewed by a document review team, and a final report is generated that identifies impacted individuals and associated data elements that may have been accessed during an attack (e.g., a Social Security number or medical information). The data review process can often result in a substantial five- or six-figure expense depending on the volume of data to be mined and the number of messages and attachments requiring manual review and the density of protected information contained therein. If personal information is accessed, consumer notification and regulatory reporting may be required. The cost of consumer notification and remediation will depend upon the number of individuals to be notified, but it is often a necessary expense that victims of the compromise must be prepared to incur.

It’s Magic Time

Above and beyond the direct financial loss, the total impact to the victim can include investigation costs, engaging cyber counsel to help fulfill notification and reporting obligations, and potential regulatory fines and penalties. Fortunately, one method exists that can help us understand what a threat actor did while having access to a compromised email account, thereby helping to reduce the additional financial burden a victim may encounter. So how does one do that? It’s time to queue up the magic logs!

Prior to the discovery of magic logs, Microsoft Office 365 investigations were in the metaphoric dark ages, as there was limited visibility into what an intruder did (or perhaps, more importantly, did not do) while accessing a compromised account. Between 2017 and 2018, several forensic firms identified an undocumented Microsoft application programming interface that used Exchange Web Services, which allowed them to obtain extremely detailed Office 365 logs, fondly referred to as “magic logs.”

Bad actors were unwittingly dropping forensic bread crumbs, and investigators were able to use these detailed logs that allow them to obtain very specific information, such as which email messages were accessed and what searches were being performed. In many cases, investigators were even able to recover those accessed messages from the mailbox.

While there are many factors that go into an analysis, the ability to specifically identify data accessed by an intruder can minimize the volume of data to be reviewed, allowing for a more tailored investigation identifying individuals who actually may be at risk. This can mitigate other risks associated with consumer and regulatory notification, such as fines and penalties assessed, and eliminate the need
to inform individuals about a data security incident that did not affect them.

In 2018, Microsoft revoked all access to the logs, and the ability to perform this extremely in-depth analysis disappeared, again requiring the review of massive volumes of email account data to locate protected or sensitive data that may have been exposed to a threat actor. An illustration noting the difference between the two workflows is shown below:

Here Comes The Sun

However, there is renewed hope. On March 2, 2020, Microsoft issued a notice regarding the rollout of mail items accessed logs (https://docs.microsoft.com/en-us/microsoft-365/compliance/mailitemsaccessed-forensics-investigations?view=o365-worldwide#use-mailitemsaccessed-audit-records-for-forensic-investigations). This permitted the review of mailbox audit and unified audit activity, which revealed mail items accessed events soon after their initial release. The first instance of these new mail items accessed logs is shown below:

While the underlying log functionality is now officially supported by Microsoft, there is a catch: only businesses with an E5 premium license have access to these “magic log” entries. This means clients with an E5 license will likely incur reduced overall investigative and analysis costs from start to finish by being able to identify specific messages accessed by a threat actor.

Conclusion

While Microsoft didn’t give everyone the keys to the kingdom, additional logging through an E5 license is certainly a step in the right direction for the incident response community and all businesses affected by BEC within Office 365. With E5, investigators once again have a better view of a threat actor’s unauthorized activity and can help identify specific email messages accessed for review without requiring data mining an entire mailbox to identify all PHI, PII and/or PCI data. What seems like such an inconspicuous difference to most proves to be a substantial benefit to victims of an Office 365 attack.

[1] https://pdf.ic3.gov/2019_IC3Report.pdf

Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

Isaac Barker (RSM) & Kevin Yoegel (Lewis Brisbois Bisgaard & Smith LLP)

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.8k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.