AU-2 / AU-3 / AU-6 / AU-11 NIST SP 800-53 Rev 5

Mailbox auditing enabled

Demonstrate that mailbox auditing is enabled for all user mailboxes and configured to capture critical access and modification events with sufficient retention for forensic investigation.

Description

What this control does

Mailbox auditing is a logging capability that records access and modification events for user mailboxes, including mailbox sign-ins, message reads, moves, deletions, and permission changes. When enabled, it generates audit logs capturing who accessed what content, when, and from which IP address or client. This control is critical for detecting unauthorized access, insider threats, account compromise, and compliance with data protection regulations requiring email activity monitoring.

Control objective

What auditing this proves

Demonstrate that mailbox auditing is enabled for all user mailboxes and configured to capture critical access and modification events with sufficient retention for forensic investigation.

Associated risks

Risks this control addresses

Unauthorized lateral movement by compromised accounts accessing sensitive mailboxes without detection
Insider exfiltration of confidential communications through delegate access or mailbox exports going unlogged
Account takeover via credential theft where attacker reads executive or financial mailboxes without audit trail
Privilege escalation where administrative users abuse mailbox permissions without accountability
Inability to investigate data breach incidents due to missing evidence of mailbox access patterns
Non-compliance with regulatory requirements mandating audit trails for electronic communications (e.g., SEC, HIPAA, GDPR)
Failure to detect automated scripting or API abuse systematically accessing multiple mailboxes for reconnaissance

Testing procedure

How an auditor verifies this control

Obtain a complete inventory of active user mailboxes from the email system (Exchange Online, Exchange On-Premises, or equivalent).
Export the mailbox audit configuration settings showing which audit actions are enabled for owner, delegate, and admin access types.
Select a representative sample of at least 25 mailboxes spanning different user roles (executives, standard users, service accounts, shared mailboxes).
Verify for each sampled mailbox that auditing is enabled and not bypassed through exclusion lists or disabled configurations.
Review the configured audit actions to confirm critical events are logged, including MailboxLogin, MessageBind, HardDelete, SoftDelete, SendAs, SendOnBehalf, and UpdateFolderPermissions.
Query the unified audit log or mailbox audit log for sample mailboxes to confirm recent audit records exist and contain required fields (timestamp, user identity, IP address, action type).
Verify audit log retention settings meet organizational and regulatory requirements (typically 90 days minimum, 1 year preferred).
Confirm that audit log access is restricted to authorized security and compliance personnel through role-based access controls and that access itself is logged.

Evidence required Configuration exports showing mailbox audit settings for all mailboxes including enabled audit actions and bypass status. Sample audit log queries demonstrating captured events with timestamps, user identities, IP addresses, and action types for representative mailboxes. Screenshots or policy documentation showing audit log retention configuration and role-based access control settings for audit log review.

Pass criteria All sampled mailboxes have auditing enabled with critical owner, delegate, and admin actions configured for logging, audit records are present in queryable logs with appropriate detail, and retention meets organizational policy requirements of at least 90 days.

Where this control is tested

Audit programs including this control

Microsoft 365 Security Posture

Audit your M365 tenant for the controls that actually matter: identity, mail flow, sharing, audit logging and admin…