Query Details

Mail Items Accessed Defense

Query

// MailItemsAccessed Defense
// https://www.linkedin.com/posts/0x534c_microsoft365-exchangeonline-defenderxdr-activity-7183335339061620738-ztfq/

// Simple & effective custom DefenderXDR hourly rule to detect threat actors accessing Exchange mailboxes via MailItemsAccessed log entry and marked user as compromised.

CloudAppEvents
| where Timestamp > ago(1h)
| where IPTags has_any ("Brute force attacker",
"Password spray attacker", "Malicious", "Tor")
| where ActionType == "MailItemsAccessed"


// MITRE ATT&CK Mapping

// Your KQL query is effectively filtering for events that could indicate various forms of credential access and email collection attacks, which are mapped to the following MITRE ATT&CK techniques:

// T1110 - Brute Force
// T1110.003 - Password Spraying
// T1078 - Valid Accounts
// T1071 - Application Layer Protocol
// T1090.003 - Proxy: Multi-hop Proxy
// T1114 - Email Collection

Explanation

This query is designed to detect potential security threats by monitoring access to Exchange mailboxes. It focuses on identifying suspicious activities by filtering cloud application events that occurred within the last hour. Specifically, it looks for events where the IP address is associated with known malicious activities, such as brute force attacks, password spraying, or use of the Tor network. The query targets events where the action type is "MailItemsAccessed," which indicates that someone accessed email items in a mailbox.

The query also maps these activities to specific MITRE ATT&CK techniques, which are frameworks used to understand and categorize cyber threats. The techniques include:

  • T1110: Brute Force attacks
  • T1110.003: Password Spraying
  • T1078: Use of Valid Accounts
  • T1071: Use of Application Layer Protocols
  • T1090.003: Use of Multi-hop Proxies
  • T1114: Email Collection

In summary, this query helps identify potential unauthorized access to email accounts by filtering for specific malicious activities and mapping them to known cyber attack techniques.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

CloudAppEvents

Keywords

CloudAppEventsTimestampIPTagsActionTypeMailItemsAccessed

Operators

agohas_anywhere==

Actions

GitHub