General attempts to access local email store

Hunt Hypothesis

Adversaries may attempt to access local email stores to exfiltrate sensitive communications or gather credentials. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data theft or reconnaissance activities.

KQL Query

DeviceFileEvents
| where FolderPath hasprefix "EmailStorage"
| where FolderPath has "Outlook"
| project FileName, FolderPath, InitiatingProcessFileName,
InitiatingProcessCommandLine, DeviceId, Timestamp

Analytic Rule Definition

id: c3e585d2-f1d0-4789-85a2-cdf7642fdf8b
name: General attempts to access local email store
description: |
  Use this query to find attempts to access files in the local path containing Outlook emails.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileEvents
tactics:
- Collection
query: |
  DeviceFileEvents
  | where FolderPath hasprefix "EmailStorage"
  | where FolderPath has "Outlook"
  | project FileName, FolderPath, InitiatingProcessFileName,
  InitiatingProcessCommandLine, DeviceId, Timestamp

Required Data Sources

Sentinel Table	Notes
`DeviceFileEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Collection

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Qakbot/General attempts to access local email store.yaml)

False Positive Guidance

Scenario: Scheduled backup of user mailboxes
Description: A scheduled job runs to back up user mailboxes to a local directory, which may trigger the rule due to access to the email store path.
Filter/Exclusion: Exclude processes associated with backup tools like Veeam Backup & Replication or Microsoft Data Protection Manager (DPM) by checking the process name or command line arguments.
Scenario: Administrative task to clean up old emails
Description: An admin uses a script or tool to delete or archive old emails from the local email store, which may be flagged as suspicious activity.
Filter/Exclusion: Exclude processes initiated by admin accounts with known cleanup scripts, or filter by process names like PowerShell.exe with specific command-line arguments related to email cleanup.
Scenario: Email client synchronization
Description: A user’s email client (e.g., Microsoft Outlook or Thunderbird) synchronizes with a local email store, which may trigger the rule during sync operations.
Filter/Exclusion: Exclude processes related to email clients by checking the process name or using a filter for known client applications.
Scenario: Log file analysis or forensic investigation
Description: A security analyst or forensic tool accesses the local email store to review logs or investigate an incident, which may be flagged as a potential threat.
Filter/Exclusion: Exclude processes associated with forensic tools like EnCase, FTK, or AccessData by checking the process name or user context.
Scenario: System maintenance or disk cleanup task
Description: A system maintenance task or third-party cleanup tool (e.g., CCleaner) accesses the local email store path during a disk scan or cleanup operation.
Filter/Exclusion: Exclude processes initiated by system maintenance tools or