Secret always-on, mailbox activity recording system, discovered in Office 365

Office 365 allows administrators to read a hidden activity log of email users. The feature is enabled by default. There were rumors the feature would exist but it was secret until now. It allows Office 365 administrators to exactly see what actions an individual user performed in their email account for the last six months.

Secret always-on, mailbox activity recording system, discovered in Office 365

(Table showing several activities that can be monitored)

Although Office 365 administrators can see what the user does, they can’t see the contents of the email messages. All other data is visible through an API that provides the same and more information than what an email administrator would be able to see when running an in-house email server. It’s possible to see which mails the user read, which attachments were opened and the sender of the email. Besides that, it’s also possible to see when a user responded, forwarded or deleted an email.

Because Office 365 is a web based mail client, also certain interactions with the email client can be tracked by the admin, including searches. Normally, email administrator have no access to such extensive data as they aren’t available in regular mail server logs.

The data is available through a so-called API (Application Programming Interface) which allows developers to retrieve data from Office 365 by calling specific URLs with specific parameters, after which the web server responds with the requested data. APIs are common technology and can be easily automated. This makes it possible for developers to create a user interface which shows all actions a user performs from second to second.

The particular API is called ‘Activities API’ and it was secret and undocumented until security company CrowdStrike discovered it when working on a case involving email based attacks. Besides revealing the API exists, the company has also (partly) documented the API and provides the source code for an application that allows developers to retrieve data from the Office 365 API.

Microsoft has confirmed the existence of the API to the German website Heise, but states it can’t guarantee the data retrieved by the API is accurate or complete. The company also advises users to stay away from undocumented features.