The TL;DR up front, because I hate buried leads. Microsoft created an undocumented API that gave incident handlers, forensic teams, and blue teams a tool that they have long wished for and that Microsoft denied having. This API was known to five major forensics firms for some time, and kept a secret so that they could leverage it to gain business. It's now out in the open and gives access to login details, searches, and other minute details.

Update 2 July 2018: Richard Davis over at 13Cubed has created an excellent video on the subject that includes a live walk-though and shows a few examples of the information presented here, please check it out as well: https://www.youtube.com/watch?v=JhM9UteuJKc

Update 5 July 2018: A PowerShell implementation has been created by Nestori Syynimaa that you can find here: http://o365blog.com/post/exomailactivity/. Himself and several other people have reported that the API no longer works, however, as of this morning, it does still seem to work in my tenant. I can only guess that it's being disabled in stages or for certain license tiers.

CrowdStrike broke the story on 18 June 2018, but neither myself, nor anyone else, seemed to notice. A followup story and improvement on their tool by LMG today (27th) seemed to gain more attention. Read their articles for a more technical explanation. What follows is more of a how-to for using the tool.

One surprising fact is that this does seem to work on free outlook.com accounts. However, I'm not positive all of the data is populated. For example, I see search activity, however, I do not see logon details. I'm not certain if this is a product of my testing environment, but others report seeing login details here. All data seems to be populated for an Office 365 tenant.

Edit/Update: I forgot to mention something important here, the permissions. The steps detailed below are enough to get this working on your own account. To view details for another account, check out the CrowdStrike article and ctrl+f for "Shared Mailbox Method" and "Application Permission Method". I've tested this against a delegated mailbox and it worked just file, I'm less certain of exactly how to get the Application Permission Method working.

Step 1 - Get the script

This part is easy

git clone https://github.com/LMGsec/Magic-Unicorn-Tool

Step 2 - Get your API key

Head over to the Outlook Dev Center and in the upper left click "Authorize using your own account". You'll be directed to a login page. At this point, if you want to test against a "live" target, use a free outlook.com account. If you want to actually run this in your environment, log into your O365 organizational account.

You'll be directed to a permissions page which will request, basically, everything. Upon accepting, you'll be returned to the Dev Center and the "Authorization Code" box in step 2 will be populated. Click "Get Tokens" directly below this. The one we want to use is the Access Token. Make sure you grab all of it, this token is nearly 2000 characters long.

Step 3 - Back to the Magic Unicorn script

Back in our terminal, we want to move into Magic-Unicorn-Tool/CrowdStrike-Retriever-Script. Make sure you set executable on the retriever.py and activities.py script. The command below will gather all info for our user and write it to activities.csv up one directory.  

python3 ./retriever.py --output ../activities.csv --user [email protected] --token tEPLS4ZICAEo[truncated]C4De1F0nyCUHSZ1J

You should get the message "Retrieving activities" followed by "Successfully retrieved XX activities" If you get a 4xx error, check out the LMG/CrowdStrike articles above for further troubleshooting.

Step 4 - Parse this output with Magic Unicorn

Move up a directory into Magic-Unicorn-Tool where our activities.csv file went, and our MagicUnicorn_v1.py script is located. Again, set the executable bit and run the following:

python3 ./MagicUnicorn_v1.py -i activities.csv -o ./ -t user_report

You should get a few messages indicating that the reports have been parsed. Note, I've found a bug here. A few messages from Microsoft had the cutsy little emoji symbols in the subject line and the tool broke with the following error:

Traceback (most recent call last):
  File "./MagicUnicorn_v1.py", line 32, in <module>
    in_file = open(args.i, "r",encoding='utf-8')
FileNotFoundError: [Errno 2] No such file or directory: 

If you get this, you may have to manually poke through the csv and remove these, then resave the file.

Step 5 - Winning

You should now have several files populated with tab separated fields detailing attachment activities, read activities by item and time, login details, and search activity. There is a plethora of information here that forensics teams will find invaluable, here's hoping Microsoft doesn't take it away.

I would love to share cool screenshots or snippits with you, but by the time I redact all the information, it's basically one giant blur. Sorry. There are some screenshots in the LMG article. Again, I highly suggest reading this.