The detection rule identifies events where an application is granted 'Mail.Read' permissions within an Office 365 environment. This permission allows any application to access and read all emails from a user's mailbox, creating potential for data exfiltration, unauthorized access, and spear-phishing attacks if exploited by malicious actors. The rule leverages O365 audit logs and focuses on monitoring updates to application permissions through the Azure Active Directory logs. The provided search utilizes the O365 management activity to pinpoint instances of permission changes, specifically tracking the 'Mail.Read' permission assignment. Organizations must carefully review any applications that request such permissions, ensuring they comply with security policies to mitigate the risks associated with potential misuse. To implement the detection, integration of the Splunk Microsoft Office 365 Add-on for data ingestion is necessary.