What are the requirements or ways to find proof of exfiltration of the GAL from a breached account?
I don‘t think that this level of (audit) logging is available within a standard tenant: https://docs.microsoft.com/en-us/microsoft-365/compliance/mailitemsaccessed-forensics-investigations?view=o365-worldwide
GAL can also be easily scraped using OWA or via Outlook sync (for which EXOL auditing only records a single event). Long story short – I‘d assume user names/email as leaked.
Are you using any other MS tools on top?
Your email address will not be published. Required fields are marked *
Save my name, email, and website in this browser for the next time I comment.
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Username or Email Address