Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Office Mail Forwarding - Hunting Version

Back
Idd49fc965-aef3-49f6-89ad-10cc4697eb5b
RulenameOffice Mail Forwarding - Hunting Version
DescriptionAdversaries often abuse email-forwarding rules to monitor victim activities, steal information, and gain intelligence on the victim or their organization. This query highlights cases where user mail is being forwarded, including to external domains.
TacticsCollection
Exfiltration
TechniquesT1114
T1020
Required data connectorsAzureActiveDirectory
KindScheduled
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Hunting Queries/OfficeMailForwarding_hunting.yaml
Version2.0.1
Arm templated49fc965-aef3-49f6-89ad-10cc4697eb5b.json
Deploy To Azure
EnrichedMicrosoft365AuditLogs
| where Workload == "Exchange"
| where (Operation == "Set-Mailbox" and tostring(parse_json(tostring(AdditionalProperties))) contains 'ForwardingSmtpAddress') 
    or (Operation in ('New-InboxRule', 'Set-InboxRule') and (tostring(parse_json(tostring(AdditionalProperties))) contains 'ForwardTo' or tostring(parse_json(tostring(AdditionalProperties))) contains 'RedirectTo'))
| extend parsed = parse_json(tostring(AdditionalProperties))
| extend fwdingDestination_initial = iif(Operation == "Set-Mailbox", tostring(parsed.ForwardingSmtpAddress), coalesce(tostring(parsed.ForwardTo), tostring(parsed.RedirectTo)))
| where isnotempty(fwdingDestination_initial)
| extend fwdingDestination = iff(fwdingDestination_initial has "smtp", (split(fwdingDestination_initial, ":")[1]), fwdingDestination_initial)
| parse fwdingDestination with * '@' ForwardedtoDomain 
| parse UserId with *'@' UserDomain
| extend subDomain = ((split(strcat(tostring(split(UserDomain, '.')[-2]), '.', tostring(split(UserDomain, '.')[-1])), '.'))[0])
| where ForwardedtoDomain !contains subDomain
| extend Result = iff(ForwardedtoDomain != UserDomain, "Mailbox rule created to forward to External Domain", "Forward rule for Internal domain")
| extend ClientIPAddress = case(ClientIp has ".", tostring(split(ClientIp, ":")[0]), ClientIp has "[", tostring(trim_start(@'[[]', tostring(split(ClientIp, "]")[0]))), ClientIp)
| extend Port = case(
                    ClientIp has ".",
                    (split(ClientIp, ":")[1]),
                    ClientIp has "[",
                    tostring(split(ClientIp, "]:")[1]),
                    ClientIp
                )
| project
    TimeGenerated,
    UserId,
    UserDomain,
    subDomain,
    Operation,
    ForwardedtoDomain,
    ClientIPAddress,
    Result,
    Port,
    ObjectId,
    fwdingDestination,
    AdditionalProperties
| extend
    AccountName = tostring(split(UserId, "@")[0]),
    AccountUPNSuffix = tostring(split(UserId, "@")[1])
| extend Host = tostring(parse_json(tostring(AdditionalProperties)).OriginatingServer)
| extend HostName = tostring(split(Host, ".")[0])
| extend DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))
| extend Account_0_Name = AccountName
| extend Account_0_UPNSuffix = AccountUPNSuffix
| extend IP_0_Address = ClientIPAddress
| extend Host_0_HostName = HostName
| extend Host_0_DnsDomain = DnsDomain
kind: Scheduled
relevantTechniques:
- T1114
- T1020
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: ClientIPAddress
    identifier: Address
- entityType: Host
  fieldMappings:
  - columnName: Host_0_HostName
    identifier: HostName
  - columnName: Host_0_DnsDomain
    identifier: DnsDomain
tactics:
- Collection
- Exfiltration
id: d49fc965-aef3-49f6-89ad-10cc4697eb5b
description-detailed: |
  Adversaries often abuse email-forwarding rules to monitor activities of a victim, steal information and further gain intelligence on
  victim or victim's organization. This query over Office Activity data highlights cases where user mail is being forwarded and shows if 
  it is being forwarded to external domains as well.  
requiredDataConnectors:
- dataTypes:
  - EnrichedMicrosoft365AuditLogs
  connectorId: AzureActiveDirectory
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Hunting Queries/OfficeMailForwarding_hunting.yaml
description: |
    Adversaries often abuse email-forwarding rules to monitor victim activities, steal information, and gain intelligence on the victim or their organization. This query highlights cases where user mail is being forwarded, including to external domains.
query: |
  EnrichedMicrosoft365AuditLogs
  | where Workload == "Exchange"
  | where (Operation == "Set-Mailbox" and tostring(parse_json(tostring(AdditionalProperties))) contains 'ForwardingSmtpAddress') 
      or (Operation in ('New-InboxRule', 'Set-InboxRule') and (tostring(parse_json(tostring(AdditionalProperties))) contains 'ForwardTo' or tostring(parse_json(tostring(AdditionalProperties))) contains 'RedirectTo'))
  | extend parsed = parse_json(tostring(AdditionalProperties))
  | extend fwdingDestination_initial = iif(Operation == "Set-Mailbox", tostring(parsed.ForwardingSmtpAddress), coalesce(tostring(parsed.ForwardTo), tostring(parsed.RedirectTo)))
  | where isnotempty(fwdingDestination_initial)
  | extend fwdingDestination = iff(fwdingDestination_initial has "smtp", (split(fwdingDestination_initial, ":")[1]), fwdingDestination_initial)
  | parse fwdingDestination with * '@' ForwardedtoDomain 
  | parse UserId with *'@' UserDomain
  | extend subDomain = ((split(strcat(tostring(split(UserDomain, '.')[-2]), '.', tostring(split(UserDomain, '.')[-1])), '.'))[0])
  | where ForwardedtoDomain !contains subDomain
  | extend Result = iff(ForwardedtoDomain != UserDomain, "Mailbox rule created to forward to External Domain", "Forward rule for Internal domain")
  | extend ClientIPAddress = case(ClientIp has ".", tostring(split(ClientIp, ":")[0]), ClientIp has "[", tostring(trim_start(@'[[]', tostring(split(ClientIp, "]")[0]))), ClientIp)
  | extend Port = case(
                      ClientIp has ".",
                      (split(ClientIp, ":")[1]),
                      ClientIp has "[",
                      tostring(split(ClientIp, "]:")[1]),
                      ClientIp
                  )
  | project
      TimeGenerated,
      UserId,
      UserDomain,
      subDomain,
      Operation,
      ForwardedtoDomain,
      ClientIPAddress,
      Result,
      Port,
      ObjectId,
      fwdingDestination,
      AdditionalProperties
  | extend
      AccountName = tostring(split(UserId, "@")[0]),
      AccountUPNSuffix = tostring(split(UserId, "@")[1])
  | extend Host = tostring(parse_json(tostring(AdditionalProperties)).OriginatingServer)
  | extend HostName = tostring(split(Host, ".")[0])
  | extend DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))
  | extend Account_0_Name = AccountName
  | extend Account_0_UPNSuffix = AccountUPNSuffix
  | extend IP_0_Address = ClientIPAddress
  | extend Host_0_HostName = HostName
  | extend Host_0_DnsDomain = DnsDomain  
name: Office Mail Forwarding - Hunting Version
version: 2.0.1
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d49fc965-aef3-49f6-89ad-10cc4697eb5b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d49fc965-aef3-49f6-89ad-10cc4697eb5b')]",
      "properties": {
        "alertRuleTemplateName": "d49fc965-aef3-49f6-89ad-10cc4697eb5b",
        "customDetails": null,
        "description": "Adversaries often abuse email-forwarding rules to monitor victim activities, steal information, and gain intelligence on the victim or their organization. This query highlights cases where user mail is being forwarded, including to external domains.\n",
        "description-detailed": "Adversaries often abuse email-forwarding rules to monitor activities of a victim, steal information and further gain intelligence on\nvictim or victim's organization. This query over Office Activity data highlights cases where user mail is being forwarded and shows if \nit is being forwarded to external domains as well.\n",
        "displayName": "Office Mail Forwarding - Hunting Version",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ClientIPAddress",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Host_0_HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "Host_0_DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Hunting Queries/OfficeMailForwarding_hunting.yaml",
        "query": "EnrichedMicrosoft365AuditLogs\n| where Workload == \"Exchange\"\n| where (Operation == \"Set-Mailbox\" and tostring(parse_json(tostring(AdditionalProperties))) contains 'ForwardingSmtpAddress') \n    or (Operation in ('New-InboxRule', 'Set-InboxRule') and (tostring(parse_json(tostring(AdditionalProperties))) contains 'ForwardTo' or tostring(parse_json(tostring(AdditionalProperties))) contains 'RedirectTo'))\n| extend parsed = parse_json(tostring(AdditionalProperties))\n| extend fwdingDestination_initial = iif(Operation == \"Set-Mailbox\", tostring(parsed.ForwardingSmtpAddress), coalesce(tostring(parsed.ForwardTo), tostring(parsed.RedirectTo)))\n| where isnotempty(fwdingDestination_initial)\n| extend fwdingDestination = iff(fwdingDestination_initial has \"smtp\", (split(fwdingDestination_initial, \":\")[1]), fwdingDestination_initial)\n| parse fwdingDestination with * '@' ForwardedtoDomain \n| parse UserId with *'@' UserDomain\n| extend subDomain = ((split(strcat(tostring(split(UserDomain, '.')[-2]), '.', tostring(split(UserDomain, '.')[-1])), '.'))[0])\n| where ForwardedtoDomain !contains subDomain\n| extend Result = iff(ForwardedtoDomain != UserDomain, \"Mailbox rule created to forward to External Domain\", \"Forward rule for Internal domain\")\n| extend ClientIPAddress = case(ClientIp has \".\", tostring(split(ClientIp, \":\")[0]), ClientIp has \"[\", tostring(trim_start(@'[[]', tostring(split(ClientIp, \"]\")[0]))), ClientIp)\n| extend Port = case(\n                    ClientIp has \".\",\n                    (split(ClientIp, \":\")[1]),\n                    ClientIp has \"[\",\n                    tostring(split(ClientIp, \"]:\")[1]),\n                    ClientIp\n                )\n| project\n    TimeGenerated,\n    UserId,\n    UserDomain,\n    subDomain,\n    Operation,\n    ForwardedtoDomain,\n    ClientIPAddress,\n    Result,\n    Port,\n    ObjectId,\n    fwdingDestination,\n    AdditionalProperties\n| extend\n    AccountName = tostring(split(UserId, \"@\")[0]),\n    AccountUPNSuffix = tostring(split(UserId, \"@\")[1])\n| extend Host = tostring(parse_json(tostring(AdditionalProperties)).OriginatingServer)\n| extend HostName = tostring(split(Host, \".\")[0])\n| extend DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))\n| extend Account_0_Name = AccountName\n| extend Account_0_UPNSuffix = AccountUPNSuffix\n| extend IP_0_Address = ClientIPAddress\n| extend Host_0_HostName = HostName\n| extend Host_0_DnsDomain = DnsDomain\n",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "Exfiltration"
        ],
        "techniques": [
          "T1020",
          "T1114"
        ],
        "templateVersion": "2.0.1"
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}