If you are are a victim of unauthorised mailbox access and/or attempted fraud via mailbox compromise (BEC) then you know that one of the tasks outside of understanding how the compromise has occurred, what configurations have been tampered with, removing devices and resetting usernames/passwords (and tokens/MFA) etc. is to start to understand the data breach impact.

If someone has logged into a mailbox it’s very very unlikely that zero data has been accessed!

What often happens in mailbox compromise scenario is an IP hunt to mark the good from the bad (and the unknowns/suspected) events.

Once you have ring fenced the treat actor access IP address/s you then will want to have an idea of what actions have occurred. Now here there’s a few macro things to consider:
SYNC events vs BIND events

If you see SYNC events on the mailbox, you have got some good and bad news! the good news is your item level impact analysis is really fast, it’s done! The bad news is, it’s ‘assume breach of the mailbox’.

If you see BIND events, you can use messageIDs to see which items were accessed (if the mailbox audit config is correct etc.)

There’s more than one way to go about this but if you have Microsoft Defender for Endpoint (or Sentinel/XDR) you can give this a go! It’s a KQL query to extract any internetmessageID from activity logs!

//KQL for BEC (MDE)
// created by mrr3b00t
// use at own risk, there might be a better way for this...
let EmailCloudAppLogs = CloudAppEvents
| where time generated > ago(30d)
| where IPAddress == "8.8.8.8"
| where ActionType == "MailItemsAccessed"
| extend MessageIds = extract_all('\\"InternetMessageId\\":\\"(\\<[^>]+>)\\"', tostring(RawEventData))
| mv-expand MessageIds
| extend InternetMessageId = tostring(MessageIds)
| where isnotempty(InternetMessageId)
| distinct InternetMessageId;
// Step 2: Search EmailEvents for matching InternetMessageId
EmailEvents
| where InternetMessageId in (EmailCloudAppLogs)
| project Timestamp, InternetMessageId, Subject, SenderFromAddress, RecipientEmailAddress, ThreatTypes, DeliveryAction, DeliveryLocation
| sort by Timestamp desc

This can be modified to use an array of IPs… but this should get you started! remember with this stuff, check 3 times (at least)! use multiple methods if you can! You need to be thorough and as accurate as you can be! Remember during a cyber investigation, details matter!