Query Details

DNS MX Record Abuse for Payload Staging

14 DNS MX Payload Staging

Query

ASimDnsActivityLogs
| where TimeGenerated > ago(1h)
| where DnsQueryTypeName =~ "MX" or DnsQueryType == 15
| extend BaseDomain = strcat(
      tostring(split(DnsQuery, ".")[-2]), ".",
      tostring(split(DnsQuery, ".")[-1])
    )
| extend SubdomainPrefix = tostring(split(DnsQuery, ".")[0])
| extend HasNumericPrefix = SubdomainPrefix matches regex @"^\d+$"
| summarize
    MxQueryCount    = count(),
    NumericPrefixed = countif(HasNumericPrefix),
    UniquePrefixes  = dcount(SubdomainPrefix),
    SampleDomains   = make_set(DnsQuery, 15),
    FirstSeen       = min(TimeGenerated),
    LastSeen        = max(TimeGenerated)
  by SrcIpAddr, SrcHostname, BaseDomain
| where MxQueryCount > 10 and NumericPrefixed > 3

Explanation

This query is designed to detect suspicious activity related to DNS MX (Mail Exchange) records, which are being used in an unusual way to hide data transfers. Here's a simple breakdown:

  • Purpose: The query looks for signs of abuse where MX records are used to stage payloads. This is a technique called "Octoberfest7," where data is encoded in hexadecimal and spread across multiple MX records. The MX preference values (like 10, 20, 30) help in reassembling the data in the correct order.

  • Indicators of Suspicion:

    • A high number of MX queries from devices that are not mail servers.
    • MX queries for the same domain that have numeric prefixes (e.g., 1.domain, 2.domain).
    • The querying client is not a known mail relay or exchange server.
  • Query Details:

    • It checks DNS activity logs for MX queries in the last hour.
    • It identifies the base domain and checks if the subdomain has a numeric prefix.
    • It counts the number of MX queries and those with numeric prefixes.
    • It flags cases where there are more than 10 MX queries and more than 3 with numeric prefixes.
  • Severity and Tactics: The severity is marked as high, and it relates to tactics like Command and Control and Exfiltration.

  • Alert Details: If suspicious activity is detected, an alert is generated with details about the source host, IP address, and domain involved.

This query is part of a security measure to detect and alert on potential data exfiltration attempts using DNS MX records, which are typically not monitored for such activities.

Details

David Alonso profile picture

David Alonso

Released: March 26, 2026

Tables

ASimDnsActivityLogs

Keywords

DnsMxDomainHostIpAddress

Operators

ASimDnsActivityLogswhereago=~or==extendstrcattostringsplitmatches regexsummarizecountcountifdcountmake_setminmaxby>

Severity

High

Tactics

CommandAndControlExfiltration

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub