Mailbox Audit Logs
Location
Exchange Admin Center or Search-MailboxAuditLog cmdletDescription
Per-mailbox audit records capturing owner, delegate, and admin actions on mailbox items including MessageBind (read), SendAs, SendOnBehalf, MoveToDeletedItems, SoftDelete, HardDelete, and UpdateInboxRules.
Forensic Value
Mailbox audit logs are essential for BEC and email-based data theft investigations. MessageBind events with ClientInfoString containing "Client=OWA" from unusual IPs indicate webmail access from a compromised session. HardDelete operations suggest evidence destruction. UpdateInboxRules events reveal forwarding rules created to silently exfiltrate email. Delegate access logs expose when another account accessed the mailbox.
Tools Required
Collection Commands
PowerShell
Search-MailboxAuditLog -Identity [email protected] -LogonTypes Owner,Delegate,Admin -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -ShowDetails | Export-Csv mailbox_audit.csv -NoTypeInformation
PowerShell
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -RecordType ExchangeItemAggregated -UserIds [email protected] -ResultSize 5000 | Export-Csv ual_mailbox.csv -NoTypeInformation
Hawk
Get-HawkUserMailboxAuditing -UserPrincipalName [email protected]
MITRE ATT&CK Techniques
Used in Procedures
Related Blockers
M365/Azure Logs Past Retention Period
Unified Audit Log (UAL) entries in Microsoft 365 or Azure AD sign-in logs have expired beyond the default 90-day (E3) or 180-day (E5) retention window. Historical evidence of initial access, mailbox abuse, or OAuth consent grants is no longer available in the tenant.
Suspected Insider Still Has Access -- Investigation Must Be Covert
The primary suspect is a current employee or contractor who still has active credentials and system access. Overt containment actions (account lockout, visible monitoring) would tip off the suspect and risk evidence destruction or acceleration of harmful activity.
Shared Cloud Environment Complicates Isolation
The compromised workload runs in a multi-tenant cloud environment (shared subscription, Kubernetes cluster, or PaaS) where isolation actions may impact other tenants or business-critical services sharing the same infrastructure.
Regulatory Notification Deadline Approaching
A regulatory reporting deadline (GDPR 72-hour, SEC 4-day, state breach notification, HIPAA) is imminent and the investigation has not yet determined the full scope of data exposure. The team must balance thorough investigation against mandatory disclosure timelines.
SaaS Audit Retention Expired Before Collection
The response started after the native retention window for Google Workspace, Okta, Slack, GitHub, or similar SaaS evidence had already passed. The necessary events are no longer available in the vendor UI or API even though the underlying accounts and content may still exist.