Feedback by UserVoice

How can we improve compliance or protect your users better in Office 365?

Re-enable the Exchange Online Activities API (Magic Unicorn)

Please re-enable the Exchange Online Activities API that allows for forensic investigation of Business E-mail Compromise incidents.

Business E-mail Compromise is a very serious and active threat for all organizations. By default, Office 365 provides very little auditing capability to investigate this type of incident. Exchange Online mailbox auditing must be proactively enabled by the customer before the breach if they wish to get this level of auditing data.

On June 18, 2018 it was publicly discovered that Microsoft does maintain this audit data even without the customer enabling it. It was available to all Office 365 customers via this API until Microsoft disabled access on July 6, 2018.

Please re-enable access to this API and stop withholding essential audit data from your customers.

References:
https://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/
https://lmgsecurity.com/rip-office365-magic-unicorn-tool/
https://medium.com/@kylebubp/using-o365-activities-api-for-incident-response-d6fb6e1420e0
https://nullsec.us/office-365s-secret-activities-api/
http://o365blog.com/post/exomailactivity/

198 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Trevor shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    0 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...

      Feedback and Knowledge Base