Office Mail Forwarding - Hunting Version
Id | d49fc965-aef3-49f6-89ad-10cc4697eb5b |
Rulename | Office Mail Forwarding - Hunting Version |
Description | Adversaries often abuse email-forwarding rules to monitor victim activities, steal information, and gain intelligence on the victim or their organization. This query highlights cases where user mail is being forwarded, including to external domains. |
Tactics | Collection Exfiltration |
Techniques | T1114 T1020 |
Required data connectors | AzureActiveDirectory |
Kind | Scheduled |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Hunting Queries/OfficeMailForwarding_hunting.yaml |
Version | 2.0.1 |
Arm template | d49fc965-aef3-49f6-89ad-10cc4697eb5b.json |
EnrichedMicrosoft365AuditLogs
| where Workload == "Exchange"
| where (Operation == "Set-Mailbox" and tostring(parse_json(tostring(AdditionalProperties))) contains 'ForwardingSmtpAddress')
or (Operation in ('New-InboxRule', 'Set-InboxRule') and (tostring(parse_json(tostring(AdditionalProperties))) contains 'ForwardTo' or tostring(parse_json(tostring(AdditionalProperties))) contains 'RedirectTo'))
| extend parsed = parse_json(tostring(AdditionalProperties))
| extend fwdingDestination_initial = iif(Operation == "Set-Mailbox", tostring(parsed.ForwardingSmtpAddress), coalesce(tostring(parsed.ForwardTo), tostring(parsed.RedirectTo)))
| where isnotempty(fwdingDestination_initial)
| extend fwdingDestination = iff(fwdingDestination_initial has "smtp", (split(fwdingDestination_initial, ":")[1]), fwdingDestination_initial)
| parse fwdingDestination with * '@' ForwardedtoDomain
| parse UserId with *'@' UserDomain
| extend subDomain = ((split(strcat(tostring(split(UserDomain, '.')[-2]), '.', tostring(split(UserDomain, '.')[-1])), '.'))[0])
| where ForwardedtoDomain !contains subDomain
| extend Result = iff(ForwardedtoDomain != UserDomain, "Mailbox rule created to forward to External Domain", "Forward rule for Internal domain")
| extend ClientIPAddress = case(ClientIp has ".", tostring(split(ClientIp, ":")[0]), ClientIp has "[", tostring(trim_start(@'[[]', tostring(split(ClientIp, "]")[0]))), ClientIp)
| extend Port = case(
ClientIp has ".",
(split(ClientIp, ":")[1]),
ClientIp has "[",
tostring(split(ClientIp, "]:")[1]),
ClientIp
)
| project
TimeGenerated,
UserId,
UserDomain,
subDomain,
Operation,
ForwardedtoDomain,
ClientIPAddress,
Result,
Port,
ObjectId,
fwdingDestination,
AdditionalProperties
| extend
AccountName = tostring(split(UserId, "@")[0]),
AccountUPNSuffix = tostring(split(UserId, "@")[1])
| extend Host = tostring(parse_json(tostring(AdditionalProperties)).OriginatingServer)
| extend HostName = tostring(split(Host, ".")[0])
| extend DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))
| extend Account_0_Name = AccountName
| extend Account_0_UPNSuffix = AccountUPNSuffix
| extend IP_0_Address = ClientIPAddress
| extend Host_0_HostName = HostName
| extend Host_0_DnsDomain = DnsDomain
kind: Scheduled
relevantTechniques:
- T1114
- T1020
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountName
identifier: Name
- columnName: AccountUPNSuffix
identifier: UPNSuffix
- entityType: IP
fieldMappings:
- columnName: ClientIPAddress
identifier: Address
- entityType: Host
fieldMappings:
- columnName: Host_0_HostName
identifier: HostName
- columnName: Host_0_DnsDomain
identifier: DnsDomain
tactics:
- Collection
- Exfiltration
id: d49fc965-aef3-49f6-89ad-10cc4697eb5b
description-detailed: |
Adversaries often abuse email-forwarding rules to monitor activities of a victim, steal information and further gain intelligence on
victim or victim's organization. This query over Office Activity data highlights cases where user mail is being forwarded and shows if
it is being forwarded to external domains as well.
requiredDataConnectors:
- dataTypes:
- EnrichedMicrosoft365AuditLogs
connectorId: AzureActiveDirectory
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Hunting Queries/OfficeMailForwarding_hunting.yaml
description: |
Adversaries often abuse email-forwarding rules to monitor victim activities, steal information, and gain intelligence on the victim or their organization. This query highlights cases where user mail is being forwarded, including to external domains.
query: |
EnrichedMicrosoft365AuditLogs
| where Workload == "Exchange"
| where (Operation == "Set-Mailbox" and tostring(parse_json(tostring(AdditionalProperties))) contains 'ForwardingSmtpAddress')
or (Operation in ('New-InboxRule', 'Set-InboxRule') and (tostring(parse_json(tostring(AdditionalProperties))) contains 'ForwardTo' or tostring(parse_json(tostring(AdditionalProperties))) contains 'RedirectTo'))
| extend parsed = parse_json(tostring(AdditionalProperties))
| extend fwdingDestination_initial = iif(Operation == "Set-Mailbox", tostring(parsed.ForwardingSmtpAddress), coalesce(tostring(parsed.ForwardTo), tostring(parsed.RedirectTo)))
| where isnotempty(fwdingDestination_initial)
| extend fwdingDestination = iff(fwdingDestination_initial has "smtp", (split(fwdingDestination_initial, ":")[1]), fwdingDestination_initial)
| parse fwdingDestination with * '@' ForwardedtoDomain
| parse UserId with *'@' UserDomain
| extend subDomain = ((split(strcat(tostring(split(UserDomain, '.')[-2]), '.', tostring(split(UserDomain, '.')[-1])), '.'))[0])
| where ForwardedtoDomain !contains subDomain
| extend Result = iff(ForwardedtoDomain != UserDomain, "Mailbox rule created to forward to External Domain", "Forward rule for Internal domain")
| extend ClientIPAddress = case(ClientIp has ".", tostring(split(ClientIp, ":")[0]), ClientIp has "[", tostring(trim_start(@'[[]', tostring(split(ClientIp, "]")[0]))), ClientIp)
| extend Port = case(
ClientIp has ".",
(split(ClientIp, ":")[1]),
ClientIp has "[",
tostring(split(ClientIp, "]:")[1]),
ClientIp
)
| project
TimeGenerated,
UserId,
UserDomain,
subDomain,
Operation,
ForwardedtoDomain,
ClientIPAddress,
Result,
Port,
ObjectId,
fwdingDestination,
AdditionalProperties
| extend
AccountName = tostring(split(UserId, "@")[0]),
AccountUPNSuffix = tostring(split(UserId, "@")[1])
| extend Host = tostring(parse_json(tostring(AdditionalProperties)).OriginatingServer)
| extend HostName = tostring(split(Host, ".")[0])
| extend DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))
| extend Account_0_Name = AccountName
| extend Account_0_UPNSuffix = AccountUPNSuffix
| extend IP_0_Address = ClientIPAddress
| extend Host_0_HostName = HostName
| extend Host_0_DnsDomain = DnsDomain
name: Office Mail Forwarding - Hunting Version
version: 2.0.1
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d49fc965-aef3-49f6-89ad-10cc4697eb5b')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d49fc965-aef3-49f6-89ad-10cc4697eb5b')]",
"properties": {
"alertRuleTemplateName": "d49fc965-aef3-49f6-89ad-10cc4697eb5b",
"customDetails": null,
"description": "Adversaries often abuse email-forwarding rules to monitor victim activities, steal information, and gain intelligence on the victim or their organization. This query highlights cases where user mail is being forwarded, including to external domains.\n",
"description-detailed": "Adversaries often abuse email-forwarding rules to monitor activities of a victim, steal information and further gain intelligence on\nvictim or victim's organization. This query over Office Activity data highlights cases where user mail is being forwarded and shows if \nit is being forwarded to external domains as well.\n",
"displayName": "Office Mail Forwarding - Hunting Version",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
"identifier": "Name"
},
{
"columnName": "AccountUPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "ClientIPAddress",
"identifier": "Address"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "Host_0_HostName",
"identifier": "HostName"
},
{
"columnName": "Host_0_DnsDomain",
"identifier": "DnsDomain"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Hunting Queries/OfficeMailForwarding_hunting.yaml",
"query": "EnrichedMicrosoft365AuditLogs\n| where Workload == \"Exchange\"\n| where (Operation == \"Set-Mailbox\" and tostring(parse_json(tostring(AdditionalProperties))) contains 'ForwardingSmtpAddress') \n or (Operation in ('New-InboxRule', 'Set-InboxRule') and (tostring(parse_json(tostring(AdditionalProperties))) contains 'ForwardTo' or tostring(parse_json(tostring(AdditionalProperties))) contains 'RedirectTo'))\n| extend parsed = parse_json(tostring(AdditionalProperties))\n| extend fwdingDestination_initial = iif(Operation == \"Set-Mailbox\", tostring(parsed.ForwardingSmtpAddress), coalesce(tostring(parsed.ForwardTo), tostring(parsed.RedirectTo)))\n| where isnotempty(fwdingDestination_initial)\n| extend fwdingDestination = iff(fwdingDestination_initial has \"smtp\", (split(fwdingDestination_initial, \":\")[1]), fwdingDestination_initial)\n| parse fwdingDestination with * '@' ForwardedtoDomain \n| parse UserId with *'@' UserDomain\n| extend subDomain = ((split(strcat(tostring(split(UserDomain, '.')[-2]), '.', tostring(split(UserDomain, '.')[-1])), '.'))[0])\n| where ForwardedtoDomain !contains subDomain\n| extend Result = iff(ForwardedtoDomain != UserDomain, \"Mailbox rule created to forward to External Domain\", \"Forward rule for Internal domain\")\n| extend ClientIPAddress = case(ClientIp has \".\", tostring(split(ClientIp, \":\")[0]), ClientIp has \"[\", tostring(trim_start(@'[[]', tostring(split(ClientIp, \"]\")[0]))), ClientIp)\n| extend Port = case(\n ClientIp has \".\",\n (split(ClientIp, \":\")[1]),\n ClientIp has \"[\",\n tostring(split(ClientIp, \"]:\")[1]),\n ClientIp\n )\n| project\n TimeGenerated,\n UserId,\n UserDomain,\n subDomain,\n Operation,\n ForwardedtoDomain,\n ClientIPAddress,\n Result,\n Port,\n ObjectId,\n fwdingDestination,\n AdditionalProperties\n| extend\n AccountName = tostring(split(UserId, \"@\")[0]),\n AccountUPNSuffix = tostring(split(UserId, \"@\")[1])\n| extend Host = tostring(parse_json(tostring(AdditionalProperties)).OriginatingServer)\n| extend HostName = tostring(split(Host, \".\")[0])\n| extend DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))\n| extend Account_0_Name = AccountName\n| extend Account_0_UPNSuffix = AccountUPNSuffix\n| extend IP_0_Address = ClientIPAddress\n| extend Host_0_HostName = HostName\n| extend Host_0_DnsDomain = DnsDomain\n",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Collection",
"Exfiltration"
],
"techniques": [
"T1020",
"T1114"
],
"templateVersion": "2.0.1"
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}