Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can you add MailItemsAccessed to Get-OspreyUserEmailActivity.ps1? #61

Open
vzachary opened this issue Feb 7, 2025 · 0 comments
Open

Can you add MailItemsAccessed to Get-OspreyUserEmailActivity.ps1? #61

vzachary opened this issue Feb 7, 2025 · 0 comments

Comments

@vzachary
Copy link

vzachary commented Feb 7, 2025

This tool is great! Thank you for putting it together and sharing. I only have one ask, if its possible.

During investigations it would be beneficial to have emails that were accessed, not just updated, sent, etc. This helps to assess what data the threat actor obtained to review for notification and/or potential financial, personal, health records, etc.

Under Your goal it mentions "What files and/or emails were accessed".
https://cybercorner.tech/synes-declassified-o365-email-compromise-investigation-guide/

However the end results do not have MailItemsAccessed. Reviewing the code the following note exists:

In Get-OspreyUserEmailActivity.ps1 the description says
.DESCRIPTION
Pulls email-related activity (Update, Delete, Send) for a user from the UAL. Does NOT pull MailItemsAccessed record.

Just opening this issue to ask if MailItemsAccessed can be included or optionally included to assist with investigations.

Having this CSV export similar to the update, delete, send with subject, IP, date, etc would save an enormous amount of time assessing the impact.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vzachary