[German]It’s an interesting discovery for administrators. Microsoft Office 365 has an undocumented API that allows administrators to read the activities of Outlook email accounts.
Such data are important if there has been a break-in into e-mail accounts or if further inconsistencies have occurred. Actually, e-mail servers offer such functions by default. However, if Microsoft’s Outlook.com (or Hotmail or Live) mail service is used in Microsoft Office 365, the mail server is located within the clound and will be managed by Microsoft. Access to the activities of an e-mail account is not officially available for administrators.
At stackoverflow.com the question arose in 2015 whether there is an API via which activities of an Outlook mailbox can be queried. There weren’t many answers. But there is a REST API for accessing Outlook.com. But that official API won’t deliver activities of an Outlook e-mail account.
Internally, however, Microsoft must have further possibilities, as the blog article Transform your organization with Microsoft Workplace Analytics by the Office 365 team from July 2017 suggests.
There is an undocumented subset Activities
Security company CrowdStrike has now discovered an interesting function in Office 365 as part of an investigation by a service team into BEC (Business Email Compromise) cases. Apparently, there is an undocumented subset Activties within the REST API that makes it much finer than the Office 365 Unified Audit Log to find out what was done with a mailbox.
- The discovered feature consists of a Web API that uses Exchange Web Services (EWS) to retrieve Office 365 Outlook mailbox activities.
- The API can be accessed by anyone who knows the API endpoint and a specific HTTP header (and can authenticate as an administrator).
- Activities are recorded for all users and kept for up to six months.
- There are many types of activity, including logins, message delivery, message reading and mailbox searching.
- It is possible to enter mailbox activities for specific periods and activity types.
With Microsoft Office 365, however, this function never seems to have been disclosed. CrowdStrike has documented the details within a blog post Hiding in Plain Sight: Using the Office 365 Activities API to Investigate Business Email Compromises. According to German magazine heise.de, Microsoft has confirmed the existence of this REST api subset.
However, Microsoft advises against using such undocumented features. A Microsoft spokesman said. “The Activities API was built to support service-to-service communication. We can’t guarantee that the data is accurate or complete enough to perform security investigations.”
Also CrowdStrike writes that there are also some disadvantages of the API. Listed is the obvious inability to link activities directly to client sessions. However, the API still provides enough detail to allow rapid identification of attacker activity in most circumstances.
CrowdStrike has published a Python module for the article, which includes the basic functionality of the Activities API. At heise.de you will find some additional information in German in this article.