KQL Search

Query Details

HomeAI ToolsDevice Query

Detection Of OOF Message Delivered Externally

Query

**Detection of OOF message delivered externally**

 The following query is oriented to increase awareness about the content of OOF auto-reply messages, which often contain sensitive information such as:

- The period during a user is out (a prime time to target their account)
- Secondary email addresses to contact during it absence
- Phone numbers

The query summarize OOF messages delivered externally and classified by type of extension domain which could helps to identify where the mentioned information is being shared:
```
EmailEvents
// add your automatic replies cases in your languages
| where Subject startswith "Automatic reply:"
| where DeliveryAction has "Delivered" and EmailDirection has "Outbound"
| extend Username = split(RecipientEmailAddress, "@")[0], Domain = tostring(split(RecipientEmailAddress, "@")[1])
| extend DomainParts = split(RecipientEmailAddress, ".")
| extend DomainExtensions = tostring(DomainParts[-1])
| summarize count() by DomainExtensions ,EmailDirection, DeliveryAction,DeliveryLocation, ThreatTypes
// if you want to have deeper information instead of a general view, you can use the next line and remove/comment the previous one
//| distinct SenderDisplayName, SenderMailFromDomain, SenderIPv4, RecipientEmailAddress,DomainExtensions,Domain,Subject, EmailDirection, DeliveryAction, DeliveryLocation, ThreatTypes
```

Explanation

This query is designed to monitor and analyze Out of Office (OOF) automatic reply messages that are sent externally from an organization. These messages can sometimes contain sensitive information, such as the duration of absence, alternative contact details, or phone numbers, which could be exploited if shared with external parties.

Here's a simplified breakdown of what the query does:

  1. Filter Emails: It looks for emails with subjects starting with "Automatic reply:" that have been delivered and are outbound, meaning they are sent outside the organization.

  2. Extract Information: It extracts the username and domain from the recipient's email address and identifies the domain extension (e.g., .com, .org).

  3. Summarize Data: It counts the number of these OOF messages grouped by domain extension, email direction, delivery action, delivery location, and threat types. This helps identify where sensitive information might be shared externally.

  4. Optional Detailed View: There's an option to get more detailed information about each message, such as the sender's display name, domain, IP address, recipient's email, and other attributes, by using the commented-out line instead of the summarization.

Overall, this query helps organizations understand and manage the potential risks associated with automatic reply messages being sent to external domains.

Details

Sergio Albea profile picture

Sergio Albea

Released: December 26, 2024

Tables

EmailEvents

Keywords

EmailEventsDomainExtensionsEmailDirectionDeliveryActionDeliveryLocationThreatTypesUsernameRecipientEmailAddressSenderDisplayNameSenderMailFromDomainSenderIPv4Subject

Operators

startswithhasextendsplittostringsummarizecountbydistinct

Actions