KQL Search

Query Details

HomeAI ToolsDevice Query

CVE 2025 32705 Out Of Bounds Read Detection

Query

// CVE-2025-32705 Out-of-bounds Read Detection

let InboundMailAttachment =
EmailAttachmentInfo
| where Timestamp > ago(1h)
| join EmailEvents on NetworkMessageId
| where EmailDirection == "Inbound" and LatestDeliveryAction != "Blocked"
| distinct FileName;
let VulnerableEP =
DeviceTvmSoftwareVulnerabilities 
| where CveId == "CVE-2025-32705"
| distinct DeviceName;
let MailAttachmentOpen =
DeviceFileEvents
| where Timestamp > ago(1h) 
| where ActionType == "FileCreated"
| where InitiatingProcessFileName == "outlook.exe"
| where FileName has_any(InboundMailAttachment) and DeviceName has_any(VulnerableEP)
| distinct DeviceName;
DeviceEvents
| where Timestamp > ago(1h)
| where ActionType == "ReadProcessMemoryApiCall"
| where DeviceName has_any(MailAttachmentOpen)

Explanation

This query is designed to detect potential security incidents related to the CVE-2025-32705 vulnerability, which involves out-of-bounds read operations. Here's a simplified breakdown of what the query does:

  1. Identify Inbound Email Attachments:

    • It looks at email attachments received in the last hour that were not blocked. It collects a list of distinct filenames from these attachments.

  2. Identify Vulnerable Devices:

    • It checks for devices that have the specific vulnerability (CVE-2025-32705) and compiles a list of these vulnerable devices.

  3. Track Attachment Open Events:

    • It monitors file creation events in the last hour, specifically those initiated by Outlook (indicating an email attachment was opened). It checks if the opened file matches any of the inbound email attachments and if the device is on the list of vulnerable devices. It compiles a list of these devices.

  4. Detect Suspicious Memory Read Operations:

    • Finally, it looks for any "ReadProcessMemoryApiCall" events (indicative of potentially malicious activity) on the devices identified in the previous step, within the last hour.

In summary, the query is tracking the sequence of events where a potentially malicious email attachment is opened on a vulnerable device, followed by suspicious memory read operations, which could indicate an exploitation attempt of the CVE-2025-32705 vulnerability.

Details

Steven Lim profile picture

Steven Lim

Released: May 22, 2025

Tables

EmailAttachmentInfoEmailEventsDeviceTvmSoftwareVulnerabilitiesDeviceFileEventsDeviceEvents

Keywords

EmailAttachmentInfoEmailEventsDeviceTvmSoftwareVulnerabilitiesDeviceFileEventsDeviceEvents

Operators

let|where>ago()joinon==!=distincthas_any()

Actions