Listen to this Post

There are many ways to download Exchange Online mailboxes once you have valid credentials, but the Graph Export-Import APIs offer a stealthy alternative that bypasses traditional logging mechanisms.
Why This Method is Sneaky?
- No Unified Audit Log Entries: Unlike native methods (Outlook, IMAP, ActiveSync), this technique doesn’t generate `MailItemsAccessed` events.
- Bypasses Defender/Sentinel Monitoring: Traditional tables like `CloudAppEvents` and `OfficeActivity` won’t log this activity.
- Requires Admin Consent: Needs the `MailboxItem.ImportExport.All` Graph API permission.
You Should Know: Detection & Prevention
1. Detecting Suspicious Graph API Usage
Microsoft Defender for Office 365 (E5 Required)
GraphAPIAuditEvents | extend UserEmail = extract(@"/users/([^/]+)/", 1, RequestUri) | where (RequestUri has "/messages/" and RequestUri endswith "/$value") or (RequestUri has "/mailFolders/" and RequestUri has "/messages?") | where isnotempty(UserEmail)
Microsoft Sentinel (Billable Log Ingestion)
MicrosoftGraphActivityLogs | where Roles has "MailboxItem.ImportExport.All" | extend UserEmail = extract(@"/users/([^/]+)/", 1, RequestUri) | where (RequestUri has "/messages/" and RequestUri endswith "/$value") or (RequestUri has "/mailFolders/" and RequestUri has "/messages?") | where isnotempty(UserEmail)
2. Mitigation Steps
- Restrict API Permissions: Audit and limit `MailboxItem.ImportExport.All` to only necessary admin accounts.
- Enable Advanced Hunting: Ensure Graph API logs are ingested into Sentinel or Defender.
- Monitor Service Principals: Attackers may abuse OAuth apps with excessive permissions.
3. Simulating an Attack (For Testing Detection)
Requires Azure AD App with MailboxItem.ImportExport.All
Connect-MgGraph -Scopes "MailboxItem.ImportExport.All"
$messages = Invoke-MgGraphRequest -Method GET "https://graph.microsoft.com/v1.0/users/{user-id}/messages"
$messages.value | Export-Csv -Path "ExfiltratedMailbox.csv"
What Undercode Say
This technique highlights a critical gap in M365 monitoring—Graph API abuse is often overlooked. Organizations must:
– Shift from reactive audits to proactive threat hunting in Graph logs.
– Monitor behavioral anomalies (e.g., unusual mailbox exports).
– Leverage KQL queries for real-time detection.
Expected Output:
- Suspicious mailbox export activity detected via Graph API logs.
- Alerts triggered for unauthorized `MailboxItem.ImportExport.All` usage.
Prediction:
As Microsoft phases out EWS, attackers will increasingly abuse Graph APIs for stealthy data exfiltration. Organizations without E5 licensing or Graph log monitoring will remain vulnerable.
Resources:
References:
Reported By: Emannon Exfilling – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


