DNS MX Record Abuse for Payload Staging
14 DNS MX Payload Staging
Query
ASimDnsActivityLogs
| where TimeGenerated > ago(1h)
| where DnsQueryTypeName =~ "MX" or DnsQueryType == 15
| extend BaseDomain = strcat(
tostring(split(DnsQuery, ".")[-2]), ".",
tostring(split(DnsQuery, ".")[-1])
)
| extend SubdomainPrefix = tostring(split(DnsQuery, ".")[0])
| extend HasNumericPrefix = SubdomainPrefix matches regex @"^\d+$"
| summarize
MxQueryCount = count(),
NumericPrefixed = countif(HasNumericPrefix),
UniquePrefixes = dcount(SubdomainPrefix),
SampleDomains = make_set(DnsQuery, 15),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SrcIpAddr, SrcHostname, BaseDomain
| where MxQueryCount > 10 and NumericPrefixed > 3Explanation
This query is designed to detect suspicious activity related to DNS MX (Mail Exchange) records, which are being used in an unusual way to hide data transfers. Here's a simple breakdown:
-
Purpose: The query looks for signs of abuse where MX records are used to stage payloads. This is a technique called "Octoberfest7," where data is encoded in hexadecimal and spread across multiple MX records. The MX preference values (like 10, 20, 30) help in reassembling the data in the correct order.
-
Indicators of Suspicion:
- A high number of MX queries from devices that are not mail servers.
- MX queries for the same domain that have numeric prefixes (e.g., 1.domain, 2.domain).
- The querying client is not a known mail relay or exchange server.
-
Query Details:
- It checks DNS activity logs for MX queries in the last hour.
- It identifies the base domain and checks if the subdomain has a numeric prefix.
- It counts the number of MX queries and those with numeric prefixes.
- It flags cases where there are more than 10 MX queries and more than 3 with numeric prefixes.
-
Severity and Tactics: The severity is marked as high, and it relates to tactics like Command and Control and Exfiltration.
-
Alert Details: If suspicious activity is detected, an alert is generated with details about the source host, IP address, and domain involved.
This query is part of a security measure to detect and alert on potential data exfiltration attempts using DNS MX records, which are typically not monitored for such activities.
Details

David Alonso
Released: March 26, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1h