Query Details
14 DNS MX Payload Staging
Query
id: a1b2c3d4-0014-4a5b-8c9d-dns014mxtunnel
name: DNS MX Record Abuse for Payload Staging
description: |
Detects MX record abuse for DNS payload staging. The Octoberfest7 technique
encodes payloads as hex and stores them across many MX records, using the
MX preference value (10, 20, 30...) to maintain ordering during reassembly.
Key indicators:
- High-volume MX queries from non-mail-server hosts
- MX queries for the same domain with numeric subdomain prefixes (1.domain, 2.domain...)
- Client is not a known mail relay or exchange server
This technique was developed to evade MDE TXT-record detection by switching
to MX records, which are not traditionally monitored for tunneling.
Ref: Octoberfest7/DNS_Tunneling — "Off the beaten path" section
severity: High
requiredDataConnectors:
- connectorId: WindowsDnsAma
dataTypes:
- ASimDnsActivityLogs
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
- CommandAndControl
- Exfiltration
relevantTechniques:
- T1071.004
- T1132
tags:
- MX tunneling
- DNS payload staging
- Octoberfest7
- LOLBin
query: |
ASimDnsActivityLogs
| where TimeGenerated > ago(1h)
| where DnsQueryTypeName =~ "MX" or DnsQueryType == 15
| extend BaseDomain = strcat(
tostring(split(DnsQuery, ".")[-2]), ".",
tostring(split(DnsQuery, ".")[-1])
)
| extend SubdomainPrefix = tostring(split(DnsQuery, ".")[0])
| extend HasNumericPrefix = SubdomainPrefix matches regex @"^\d+$"
| summarize
MxQueryCount = count(),
NumericPrefixed = countif(HasNumericPrefix),
UniquePrefixes = dcount(SubdomainPrefix),
SampleDomains = make_set(DnsQuery, 15),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SrcIpAddr, SrcHostname, BaseDomain
| where MxQueryCount > 10 and NumericPrefixed > 3
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: SrcHostname
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
- entityType: DNS
fieldMappings:
- identifier: DomainName
columnName: BaseDomain
alertDetailsOverride:
alertDisplayNameFormat: "MX Tunnel — {{SrcHostname}} queried {{MxQueryCount}} MX records for {{BaseDomain}}"
alertDescriptionFormat: "{{SrcHostname}} ({{SrcIpAddr}}) sent {{MxQueryCount}} MX queries for {{BaseDomain}}, with {{NumericPrefixed}} numerically-prefixed subdomains. This matches the Octoberfest7 MX-based payload staging technique."
customDetails:
BaseDomain: BaseDomain
MxQueryCount: MxQueryCount
NumericPrefixed: NumericPrefixed
Explanation
This query is designed to detect suspicious activity related to DNS MX (Mail Exchange) records, which are being used in an unusual way to hide data transfers. Here's a simple breakdown:
-
Purpose: The query looks for signs of abuse where MX records are used to stage payloads. This is a technique called "Octoberfest7," where data is encoded in hexadecimal and spread across multiple MX records. The MX preference values (like 10, 20, 30) help in reassembling the data in the correct order.
-
Indicators of Suspicion:
- A high number of MX queries from devices that are not mail servers.
- MX queries for the same domain that have numeric prefixes (e.g., 1.domain, 2.domain).
- The querying client is not a known mail relay or exchange server.
-
Query Details:
- It checks DNS activity logs for MX queries in the last hour.
- It identifies the base domain and checks if the subdomain has a numeric prefix.
- It counts the number of MX queries and those with numeric prefixes.
- It flags cases where there are more than 10 MX queries and more than 3 with numeric prefixes.
-
Severity and Tactics: The severity is marked as high, and it relates to tactics like Command and Control and Exfiltration.
-
Alert Details: If suspicious activity is detected, an alert is generated with details about the source host, IP address, and domain involved.
This query is part of a security measure to detect and alert on potential data exfiltration attempts using DNS MX records, which are typically not monitored for such activities.
Details
David Alonso
Released: March 26, 2026
Tables
Keywords
Operators