1 of 55

Automating Azure Account Compromise Investigations

Alan Pike

2 of 55

This is based on a true story

3 of 55

A user fell victim to an AiTM…

4 of 55

A lot of questions to be answered…

  • What emails were accessed? Which ones contained attachments?
  • What files were accessed?
  • Were any files shared?
  • Was there any mailbox rules added to the users mailbox
  • Were there any additional MFA methods added to the account?
  • Did the user target any other users with a phishing email?
  • Can we identify which IPs are suspicious, legit, used by Azure, Owned by Microsoft…

5 of 55

Using the Purview Audit Log

6 of 55

Purview Audit log

7 of 55

Purview Audit log

8 of 55

Purview Audit log

9 of 55

Purview Audit log

10 of 55

Purview Audit log

11 of 55

Purview Audit log

12 of 55

Purview Audit log

13 of 55

Purview Audit log

14 of 55

Purview Audit log

"FolderItems": [

{

"ClientRequestId": "77d67e60-f875-4615-8516-3c9fb48b017e",

"Id": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQDe1HHeuktEQ6UZu090ZPEJAAMXhzYmAAAJ",

"ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQDe1HHeuktEQ6UZu090ZPEJAAMXhzYmAAAJ",

"InternetMessageId": "<AM8PR09MB539707E21F36736468BEBE6FFDF5A@AM8PR09MB5397.eurprd09.prod.outlook.com>",

"SizeInBytes": 35064

},

{

"ClientRequestId": "fb061bbf-a88e-438b-aa28-366ccc251d89",

"Id": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQDe1HHeuktEQ6UZu090ZPEJAAMXhzYyAAAJ",

"ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQDe1HHeuktEQ6UZu090ZPEJAAMXhzYyAAAJ",

"InternetMessageId": "<AM8PR09MB539792FEB9898F5FC2128E0EFDF5A@AM8PR09MB5397.eurprd09.prod.outlook.com>",

"SizeInBytes": 3684

},

15 of 55

Exporting from Purview….

16 of 55

Exporting from Purview….

17 of 55

Exporting from Purview….

{"AppAccessContext":{"APIId":"13937bba-652e-4c46-b222-3003f4d1ff97","ClientAppId":"13937bba-652e-4c46-b222-3003f4d1ff97","IssuedAtTime":"2025-10-20T08:50:13","UniqueTokenId":"3130e950-74e0-4bb2-be26-0555eac7fd81"},"CreationTime":"2025-10-20T08:50:22","Id":"938100d4-fe3c-4404-9748-fbe12a82f1aa","Operation":"MailItemsAccessed","OrganizationId":"766317cb-e948-4e5f-8cec-dabc8e2fd5da","RecordType":50,"ResultStatus":"Succeeded","UserKey":"13937bba-652e-4c46-b222-3003f4d1ff97","UserType":5,"Version":1,"Workload":"Exchange","UserId":"jane.bloggs@tudublin.ie","ActorInfoString":"Client=REST;Client=RESTSystem;UserContext[AppId=13937bba-652e-4c46-b222-3003f4d1ff97];","AppId":"13937bba-652e-4c46-b222-3003f4d1ff97","ClientAppId":"13937bba-652e-4c46-b222-3003f4d1ff97","ClientIPAddress":"2603:10a6:20b:58a::13","ClientInfoString":"Client=REST;Client=RESTSystem;;","ExternalAccess":false,"InternalLogonType":0,"LogonType":0,"LogonUserSid":"S-1-5-21-4216173473-1702484195-1916209044-34247418","MailboxGuid":"cf971db7-da00-489d-8f88-f2fe4aa657a8","MailboxOwnerSid":"S-1-5-21-4216173473-1702484195-1916209044-34247418","MailboxOwnerUPN":"jane.bloggs@tudublin.ie","OperationProperties":[{"Name":"MailAccessType","Value":"Bind"}],"OrganizationName":"TUDublin.onmicrosoft.com","OriginatingServer":"AM8PR09MB5397 (15.20.4200.000)\r\n","TokenTenantId":"766317cb-e948-4e5f-8cec-dabc8e2fd5da","Folders":[{"FolderItems":[{"ClientRequestId":"77d67e60-f875-4615-8516-3c9fb48b017e","Id":"LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQDe1HHeuktEQ6UZu090ZPEJAAMXhzYmAAAJ","ImmutableId":"LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQDe1HHeuktEQ6UZu090ZPEJAAMXhzYmAAAJ","InternetMessageId":"<AM8PR09MB539707E21F36736468BEBE6FFDF5A@AM8PR09MB5397.eurprd09.prod.outlook.com>","SizeInBytes":35064},{"ClientRequestId":"fb061bbf-a88e-438b-aa28-366ccc251d89","Id":"LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQDe1HHeuktEQ6UZu090ZPEJAAMXhzYyAAAJ","ImmutableId":"LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQDe1HHeuktEQ6UZu090ZPEJAAMXhzYyAAAJ","InternetMessageId":"<AM8PR09MB539792FEB9898F5FC2128E0EFDF5A@AM8PR09MB5397.eurprd09.prod.outlook.com>","SizeInBytes":3684},{"ClientRequestId":"5109701d-64b5-4cb7-a067-c2b0002b4c1b","Id":"LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQDe1HHeuktEQ6UZu090ZPEJAAMXhzovAAAJ","ImmutableId":"LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQDe1HHeuktEQ6UZu090ZPEJAAMXhzovAAAJ","InternetMessageId":"<Share-d82fd1a1-9098-e000-29c3-11ef9d32d2c6,d82fd1a1-9098-e000-29c3-11ef9d32d2c6-6b59ae72-5e51-4759-a426-9904c1076b57-r0-SendEmail-rh_neu-aid_a7508efe-1f7c-40a0-816c-5ca67d1fb0f3@odspnotify>","SizeInBytes":51142},{"ClientRequestId":"5ffa9205-5785-49c4-86a5-9df041ff16bd","Id":"LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQDe1HHeuktEQ6UZu090ZPEJAAMXhzo4AAAJ","ImmutableId":"LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQDe1HHeuktEQ6UZu090ZPEJAAMXhzo4AAAJ","InternetMessageId":"<Share-db2fd1a1-403d-e000-45b2-df8a251ff5e8,db2fd1a1-403d-e000-45b2-df8a251ff5e8-19853a0a-145e-43e9-aba1-7d3dd5fd8e43-r0-SendEmail-rh_neu-aid_838d7eb2-22d0-41b9-acfe-6140d8a728b7@odspnotify>","SizeInBytes":40980}],"Id":"LgAAAACnXt55PTpxQawFM3jw81QGAQDe1HHeuktEQ6UZu090ZPEJAAAAAAEJAAAB","Path":"\\Sent Items"},{"FolderItems":[{"ClientRequestId":"7f02cf65-6c4f-4cb7-b59e-54e42b8c6a16","Id":"LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQDe1HHeuktEQ6UZu090ZPEJAAMXhyY4AAAJ","ImmutableId":"LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQDe1HHeuktEQ6UZu090ZPEJAAMXhyY4AAAJ","InternetMessageId":"<PA3PR09MB8195459DC020C9A4DFA9D02BFAF5A@PA3PR09MB8195.eurprd09.prod.outlook.com>","SizeInBytes":45231}],"Id":"LgAAAACnXt55PTpxQawFM3jw81QGAQDe1HHeuktEQ6UZu090ZPEJAAAAAAEMAAAB","Path":"\\Inbox"}],"OperationCount":5}

18 of 55

Exporting from Purview….

{"AppAccessContext":{"APIId":"13937bba-652e-4c46-b222-3003f4d1ff97","ClientAppId":"13937bba-652e-4c46-b222-3003f4d1ff97","IssuedAtTime":"2025-10-20T08:50:13","UniqueTokenId":"3130e950-74e0-4bb2-be26-0555eac7fd81"},"CreationTime":"2025-10-20T08:50:22","Id":"938100d4-fe3c-4404-9748-fbe12a82f1aa","Operation":"MailItemsAccessed","OrganizationId":"766317cb-e948-4e5f-8cec-dabc8e2fd5da","RecordType":50,"ResultStatus":"Succeeded","UserKey":"13937bba-652e-4c46-b222-3003f4d1ff97","UserType":5,"Version":1,"Workload":"Exchange","UserId":"jane.bloggs@tudublin.ie","ActorInfoString":"Client=REST;Client=RESTSystem;UserContext[AppId=13937bba-652e-4c46-b222-3003f4d1ff97];","AppId":"13937bba-652e-4c46-b222-3003f4d1ff97","ClientAppId":"13937bba-652e-4c46-b222-3003f4d1ff97","ClientIPAddress":"2603:10a6:20b:58a::13","ClientInfoString":"Client=REST;Client=RESTSystem;;","ExternalAccess":false,"InternalLogonType":0,"LogonType":0,"LogonUserSid":"S-1-5-21-4216173473-1702484195-1916209044-34247418","MailboxGuid":"cf971db7-da00-489d-8f88-f2fe4aa657a8","MailboxOwnerSid":"S-1-5-21-4216173473-1702484195-1916209044-34247418","MailboxOwnerUPN":"jane.bloggs@tudublin.ie","OperationProperties":[{"Name":"MailAccessType","Value":"Bind"}],"OrganizationName":"TUDublin.onmicrosoft.com","OriginatingServer":"AM8PR09MB5397 (15.20.4200.000)\r\n","TokenTenantId":"766317cb-e948-4e5f-8cec-dabc8e2fd5da","Folders":[{"FolderItems":[{"ClientRequestId":"77d67e60-f875-4615-8516-3c9fb48b017e","Id":"LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQDe1HHeuktEQ6UZu090ZPEJAAMXhzYmAAAJ","ImmutableId":"LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQDe1HHeuktEQ6UZu090ZPEJAAMXhzYmAAAJ","InternetMessageId":"<AM8PR09MB539707E21F36736468BEBE6FFDF5A@AM8PR09MB5397.eurprd09.prod.outlook.com>","SizeInBytes":35064},{"ClientRequestId":"fb061bbf-a88e-438b-aa28-366ccc251d89","Id":"LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQDe1HHeuktEQ6UZu090ZPEJAAMXhzYyAAAJ","ImmutableId":"LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQDe1HHeuktEQ6UZu090ZPEJAAMXhzYyAAAJ","InternetMessageId":"<AM8PR09MB539792FEB9898F5FC2128E0EFDF5A@AM8PR09MB5397.eurprd09.prod.outlook.com>","SizeInBytes":3684},{"ClientRequestId":"5109701d-64b5-4cb7-a067-c2b0002b4c1b","Id":"LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQDe1HHeuktEQ6UZu090ZPEJAAMXhzovAAAJ","ImmutableId":"LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQDe1HHeuktEQ6UZu090ZPEJAAMXhzovAAAJ","InternetMessageId":"<Share-d82fd1a1-9098-e000-29c3-11ef9d32d2c6,d82fd1a1-9098-e000-29c3-11ef9d32d2c6-6b59ae72-5e51-4759-a426-9904c1076b57-r0-SendEmail-rh_neu-aid_a7508efe-1f7c-40a0-816c-5ca67d1fb0f3@odspnotify>","SizeInBytes":51142},{"ClientRequestId":"5ffa9205-5785-49c4-86a5-9df041ff16bd","Id":"LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQDe1HHeuktEQ6UZu090ZPEJAAMXhzo4AAAJ","ImmutableId":"LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQDe1HHeuktEQ6UZu090ZPEJAAMXhzo4AAAJ","InternetMessageId":"<Share-db2fd1a1-403d-e000-45b2-df8a251ff5e8,db2fd1a1-403d-e000-45b2-df8a251ff5e8-19853a0a-145e-43e9-aba1-7d3dd5fd8e43-r0-SendEmail-rh_neu-aid_838d7eb2-22d0-41b9-acfe-6140d8a728b7@odspnotify>","SizeInBytes":40980}],"Id":"LgAAAACnXt55PTpxQawFM3jw81QGAQDe1HHeuktEQ6UZu090ZPEJAAAAAAEJAAAB","Path":"\\Sent Items"},{"FolderItems":[{"ClientRequestId":"7f02cf65-6c4f-4cb7-b59e-54e42b8c6a16","Id":"LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQDe1HHeuktEQ6UZu090ZPEJAAMXhyY4AAAJ","ImmutableId":"LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQDe1HHeuktEQ6UZu090ZPEJAAMXhyY4AAAJ","InternetMessageId":"<PA3PR09MB8195459DC020C9A4DFA9D02BFAF5A@PA3PR09MB8195.eurprd09.prod.outlook.com>","SizeInBytes":45231}],"Id":"LgAAAACnXt55PTpxQawFM3jw81QGAQDe1HHeuktEQ6UZu090ZPEJAAAAAAEMAAAB","Path":"\\Inbox"}],"OperationCount":5}

19 of 55

Review each internet message ID

20 of 55

Check email message using “Preview” (within Defender portal)

21 of 55

Time consuming Process

22 of 55

Purview Audit log – IP address

23 of 55

Purview Audit log – IP address

24 of 55

Other Items that may be needed

  • IP addresses used to access – could be Azure IP addresses, MS addresses – related to defender for endpoint, zapping emails, scanning mails after the fact
  • Needed a way of view this information.
  • Show an image of the purview again with the IP addresses used
  • Show the files accessed in the purview log
  • Highlight the search can take 5-20 minutes to run, depending on the timelines
  • Also want to search for mailbox rules added
    • Can do this in exchange PowerShell, or directly in sentinel with KQL
  • And any emails sent

25 of 55

26 of 55

Service Principal assigned reader access to Log Analytics Workspace

27 of 55

28 of 55

Details of each email based on internet message ID via Graph API

29 of 55

30 of 55

31 of 55

32 of 55

33 of 55

34 of 55

35 of 55

The Script in Action

36 of 55

Results Exported to Excel

37 of 55

Emails Accessed

38 of 55

Emails Accessed

39 of 55

Emails Accessed (Real World Example)

40 of 55

Files Shared

41 of 55

Files Shared

42 of 55

Files Accessed, previewed or downloaded

43 of 55

Files Accessed, previewed or downloaded

44 of 55

Files Accessed, previewed or downloaded

45 of 55

Mailbox Rules Added

46 of 55

Mailbox Rules Added

47 of 55

Mailbox Rules Added

48 of 55

Emails Sent

49 of 55

Emails Sent

50 of 55

Security Information Registered

51 of 55

What do you need for this to work…

  • An Azure App with the following API permissions
  • The Service Principal for this Azure application must have read permissions on the Log Analytics workspace that stores “Office Activity” and “Audit Log” data (in our environment, this workspace is part of Microsoft Sentinel)
  • A client Secret setup in the Azure App
  • An Azure key vault to store the client secret

52 of 55

Future plans for script

# Delegation of mailbox permissions

# Deleted items from mailbox

# Powerautomate flows created

# third party apps given access to the user account

# Group Membership changes

# Guest User Invitations

# Device Enrollment

# Custom Connectors in Power Platform

53 of 55

Reduce Compromised Accounts….�Implement Zero trust

Verify explicitly: Always authenticate and authorize based on all available data points (user identity, location, device health, etc.) to reduce reliance on easily intercepted credentials.

Use phishing-resistant MFA: Implement FIDO2 or certificate-based authentication to prevent token theft and session hijacking common in AiTM attacks.

Enforce conditional access policies: Block or challenge access based on risk signals (e.g., unfamiliar sign-in, impossible travel, or suspicious IPs).

54 of 55

Speaking of Zero trust….�(Time for a plug)

  • Check out the talk at 3pm in the same room from
  • Richard Dunne (TU Dublin) &
  • Rogerio Palmares (DCU)

55 of 55

Where to find the script…

https://github.com/alanptud/CompromisedAccountInvestigations.git

alan.pike@tudublin.ie