By Staff Writer at LMG Security   /   Jan 18th, 2019

The Office 365 Magic Unicorn Tool Lives!

Microsoft just announced that within the next month, they will be resurrecting the Magic Unicorn Tool! OK, they didn’t put it quite like that, but essentially that’s what’s happening. This will have a HUGE impact on industry best practices and costs for handling Office 365 Business Email Compromise cases.


What’s a Magic Unicorn Tool?

In early 2018 the industry was abuzz about a secret Office 365 mailbox auditing tool that we, at LMG, dubbed, “the Magic Unicorn.” Thanks to a video by Anonymous and follow-up research by CrowdStrike, the public was informed of Microsoft’s secret “Activities” API. (Read about how the secret was uncovered in our blog post). LMG quickly created a wrapper script that we called the Magic Unicorn Tool which leverages CrowdStrike’s Python module to parse the data and produce human-readable reports that are useful for business email compromise cases. Unfortunately, Microsoft quickly removed access to this data, rendering the tool inoperative.

We are excited to share that the Microsoft MessageBind function is being reinstated and automatically logged for all levels of users in the Office 365 environment next month. Welcome back Magic Unicorn!


Why is this important?

Prior to the public release of the Magic Unicorn Tool, most victims had no publicly available way to determine the full scope of an Office 365 breach. While the secret utility had been leaked to a few organizations, the vast majority of Office 365 users were out of luck. As a result, many organizations couldn’t “rule out” a data breach and were forced to notify users unnecessarily.

The secret Office 365 mailbox auditing tool offered granular Microsoft log data that nearly made us swoon. We, along with many security groups, have been waiting and hoping that Microsoft would bring back this tool.

Microsoft’s email announcement stated, “To ensure that our customers have access to critical audit data to investigate security incidents in their tenancy when required… [Microsoft] will automatically enable mailbox auditing on all applicable mailboxes to users of the Commercial service.”

“This is a game-changer for all Office 365 users, and for the cybersecurity industry,” stated Sherri Davidoff, founder and CEO of LMG Security. “During the past year, we’ve seen an epidemic of Office 365 email data breaches. Now, administrators will have the tools they need to analyze and scope a suspected breach, and sometimes even be able to rule out a breach. This will save everyone time and money.”


What information will the new tool log?

Microsoft’s announcement indicates the new tool will:

  • Keep a record of all emails that have been read or accessed, including via the Preview pane, or double-clicked on to open externally.
  • Automatically keep logs for all users, not just administrators.
  • Show if the entire mailbox has been downloaded onto a device via sync.
  • Automatically enable mailbox logging.

“I’m really excited that Microsoft brought the tool back and it’s being released as a free component of the audit logging suite,” stated Matt Durrin, LMG cybersecurity consultant and trainer. “There are no additional costs and no additional work to enable the tool. Logging will be enabled by default, with this function completely intact for everyone that uses Office 365.” (** unless you’ve previously opted out of audit logging)

Davidoff added, “I am impressed that Microsoft is leading the charge, and providing corporate customers with convenient access to cutting-edge incident response tools.”

LMG’s forensics team is eagerly anticipating the release of Microsoft’s new forensics tool. Virtual high-five to Microsoft! We will be examining the full functionality of the tool and keeping everyone updated.