NRT Multiple users email forwarded to same destination

Back


Id	3b05727d-a8d1-477d-bbdd-d957da96ac7b
Rulename	NRT Multiple users email forwarded to same destination
Description	Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. This could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.
Severity	Medium
Tactics	Collection Exfiltration
Techniques	T1114 T1020
Required data connectors	Office365
Kind	NRT
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/NRT_Office_MailForwarding.yaml
Version	1.0.3
Arm template	3b05727d-a8d1-477d-bbdd-d957da96ac7b.json

KQL

OfficeActivity
| where OfficeWorkload =~ "Exchange"
| where Parameters has_any ("ForwardTo", "RedirectTo", "ForwardingSmtpAddress")
| mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))
| evaluate bag_unpack(ParsedParameters, columnsConflict='replace_source')
| extend DestinationMailAddress = tolower(case(
    isnotempty(column_ifexists("ForwardTo", "")), column_ifexists("ForwardTo", ""),
    isnotempty(column_ifexists("RedirectTo", "")), column_ifexists("RedirectTo", ""),
    isnotempty(column_ifexists("ForwardingSmtpAddress", "")), trim_start(@"smtp:", column_ifexists("ForwardingSmtpAddress", "")),
    ""))
| where isnotempty(DestinationMailAddress)
| mv-expand split(DestinationMailAddress, ";")
| extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P<Port>\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0]
| extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP
| where DistinctUserCount > 1
| mv-expand UserId to typeof(string)

YAML

relevantTechniques:
- T1114
- T1020
name: NRT Multiple users email forwarded to same destination
tactics:
- Collection
- Exfiltration
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/NRT_Office_MailForwarding.yaml
id: 3b05727d-a8d1-477d-bbdd-d957da96ac7b
requiredDataConnectors:
- dataTypes:
  - OfficeActivity
  connectorId: Office365
kind: NRT
query: |
  OfficeActivity
  | where OfficeWorkload =~ "Exchange"
  | where Parameters has_any ("ForwardTo", "RedirectTo", "ForwardingSmtpAddress")
  | mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)))
  | evaluate bag_unpack(ParsedParameters, columnsConflict='replace_source')
  | extend DestinationMailAddress = tolower(case(
      isnotempty(column_ifexists("ForwardTo", "")), column_ifexists("ForwardTo", ""),
      isnotempty(column_ifexists("RedirectTo", "")), column_ifexists("RedirectTo", ""),
      isnotempty(column_ifexists("ForwardingSmtpAddress", "")), trim_start(@"smtp:", column_ifexists("ForwardingSmtpAddress", "")),
      ""))
  | where isnotempty(DestinationMailAddress)
  | mv-expand split(DestinationMailAddress, ";")
  | extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P<Port>\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0]
  | extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP
  | where DistinctUserCount > 1
  | mv-expand UserId to typeof(string)  
description: |
  'Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination.
  This could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.'  
severity: Medium
metadata:
  source:
    kind: Community
  categories:
    domains:
    - Security - Threat Protection
  author:
    name: Pete Bryan
  support:
    tier: Community
version: 1.0.3
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: UserId
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: ClientIP
    identifier: Address

ARM