Query Details
DCA Suspicious Mailbox Rule Created
Query
//Use the Defender for Cloud Apps logs to detect when an inbox rule is created where the name only has special characters, i.e '..' or '.....' this is a common threat actor TTP //Data connector required for this query - M365 Defender - CloudAppEvents //Microsoft Sentinel query CloudAppEvents | where Application == "Microsoft Exchange Online" | where ActionType == "New-InboxRule" | mv-apply p=todynamic(ActivityObjects) on ( where p.Name == "Name" | extend RuleName=p.Value ) | where isnotempty(RuleName) | where RuleName matches regex @"^[^a-zA-Z0-9]*$" | extend AccountUpn=tostring(RawEventData.UserId) | extend SessionId=tostring(RawEventData.SessionId) | project TimeGenerated, Application, ActionType, AccountUpn, RuleName, SessionId, IPAddress //Advanced Hunting query //Data connector required for this query - Advanced Hunting license CloudAppEvents | where Application == "Microsoft Exchange Online" | where ActionType == "New-InboxRule" | mv-apply p=todynamic(ActivityObjects) on ( where p.Name == "Name" | extend RuleName=p.Value ) | where isnotempty(RuleName) | where RuleName matches regex @"^[^a-zA-Z0-9]*$" | extend AccountUpn=tostring(RawEventData.UserId) | extend SessionId=tostring(RawEventData.SessionId) | project Timestamp, Application, ActionType, AccountUpn, RuleName, SessionId, IPAddress
Explanation
This query is used to detect when an inbox rule is created with a name that consists only of special characters like '..' or '.....'. It is commonly used by threat actors. The query retrieves data from the Defender for Cloud Apps logs or the Advanced Hunting license data connector for Microsoft Sentinel. It filters the logs for Microsoft Exchange Online application and the "New-InboxRule" action type. It then extracts the rule name from the logs and checks if it is not empty and matches the regex pattern for special characters. The query also includes additional fields like the account UPN, session ID, IP address, and timestamp (or time generated) for further analysis.
Details
Matt Zorich
Released: March 22, 2023
Tables
CloudAppEvents
Keywords
CloudAppEvents,MicrosoftExchangeOnline,New-InboxRule,Name,RuleName,RawEventData,UserId,SessionId,TimeGenerated,IPAddress,Timestamp
Operators
where|==mv-applyonextendisnotemptymatches regextostringproject