Query Details

Echo Spoofing

Query

//By leveraging Defender threat intelligence data to first identify abused Proofpoint email gateways and correlating this with emails that have passed authentication checks (SPF/DKIM/DMARC) from these gateways, you can quickly spot abnormal inbound email counts from legitimate non-business partner domains by reviewing the email statistics. (E.g Disney.com)

let HighRiskProofpointEmailGateways =
CloudAppEvents 
| where ActionType == @"TIMailData-Inline"
| where RawEventData has "pphosted.com" or ISP == @"proofpoint inc."
| extend SenderIP = tostring(RawEventData.SenderIp)
| distinct SenderIP;
EmailEvents
| where SenderIPv4 has_any(HighRiskProofpointEmailGateways)
| extend SenderInfo = geo_info_from_ip_address(SenderIPv4)
| extend AuthDetail = parse_json(AuthenticationDetails)
| where AuthDetail.SPF=="pass" and AuthDetail.DKIM=="pass" and AuthDetail.DMARC=="pass"
| summarize Count=count() by SenderFromDomain
| sort by Count desc

// https://labs.guard.io/echospoofing-a-massive-phishing-campaign-exploiting-proofpoints-email-protection-to-dispatch-3dd6b5417db6

// MITRE ATT&CK Mapping

// The KQL code is designed to detect potentially malicious email activities by focusing on high-risk Proofpoint email gateways and ensuring the emails pass key authentication checks. The associated MITRE ATT&CK techniques include:

// T1071.001: Application Layer Protocol - Web Protocols
// T1071.003: Application Layer Protocol - Email Protocols
// T1589.002: Gather Victim Network Information - DNS
// T1078.003: Valid Accounts - Cloud Accounts

Explanation

This KQL query is designed to identify potentially suspicious email activities by focusing on specific email gateways known to be associated with Proofpoint, a security company. Here's a simplified breakdown of what the query does:

  1. Identify High-Risk Gateways: The query first looks at cloud application events to find email gateways associated with Proofpoint. It filters for events that involve Proofpoint's infrastructure, specifically looking for the domain "pphosted.com" or the ISP "proofpoint inc." It then extracts unique sender IP addresses from these events.

  2. Filter Emails: Next, the query examines email events to find emails that were sent from these identified high-risk IP addresses. It checks the geographic information of the sender and ensures that the emails have passed key authentication checks (SPF, DKIM, and DMARC), which are protocols used to verify the legitimacy of an email.

  3. Summarize and Sort: The query then counts the number of emails from each sender domain and sorts them in descending order based on the count. This helps in quickly identifying domains that are sending an unusually high number of emails, which could indicate suspicious activity.

  4. Purpose: The overall goal is to spot abnormal email patterns from domains that are not recognized as business partners, which could be indicative of phishing or other malicious activities.

  5. Context: The query is linked to a real-world example of a phishing campaign exploiting Proofpoint's email protection, as referenced in the provided URL.

  6. Security Framework: The query is mapped to specific MITRE ATT&CK techniques, which are a set of tactics and techniques used to describe cyber adversary behavior. These include using web and email protocols, gathering network information, and exploiting valid cloud accounts.

In essence, this query helps security analysts detect and investigate potentially harmful emails that might bypass traditional security measures by leveraging trusted email gateways.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

CloudAppEventsEmailEvents

Keywords

CloudAppEventsEmailEventsSenderIPSenderIPv4SenderInfoAuthDetailAuthenticationDetailsSenderFromDomainCount

Operators

let|where==hasorextendtostring()distincthas_anygeo_info_from_ip_address()parse_json()summarizecount()bysortdesc

Actions

GitHub