CrowdStrike's blog post explores the investigative potential of an undocumented subset of the Outlook REST API, known as the Activities API, which offers advanced logging capabilities for Office 365 Outlook mailboxes. This API can track various user and system activities, such as logins, message deliveries, and searches, making it a powerful tool for identifying and responding to business email compromises (BEC). Threat actors often exploit these mailboxes through phishing and credential theft, seeking to manipulate financial transactions. The article outlines how to access and utilize the API for threat detection and incident response, emphasizing techniques like geographic logon analysis, search query examination, and identifying anomalous application types. Additionally, it discusses enriching API data with message headers to detect DKIM, DMARC, and SPF failures, which could indicate malicious activity. CrowdStrike also highlights the use of a Python module for interfacing with the API, aiding organizations in enhancing their cybersecurity posture by leveraging detailed mailbox activity insights.