KQL Search

Query Details

HomeAI ToolsDevice Query

Malicious Senders Hidden Behind Anonymous Proxies

Query

**Malicious Senders hidden behind anonymous proxies**

I had pending to have a deep view into the CloudAppEvents table and finally I had some time over the weekend to have a look around.
I will have an interesting work to look for the cases where the attackers are using Anonymous Proxy. To start, let's catch some "GhostHackers" that thinks that being hidden behind a proxy, they will not be hunted sending malicious emails.

```
CloudAppEvents
| where IsAnonymousProxy == 1
| where Application contains "Exchange"
| where ActionType contains "TIMailData-Inline"
| where RawEventData.DeliveryAction contains "Delivered"
| project IPAddress, CountryCode, City, ISP, RawEventData.Subject,RawEventData.P2Sender, RawEventData.DeliveryAction, RawEventData.Verdict, ActionType, Application
```

Explanation

This KQL (Kusto Query Language) query is designed to identify potentially malicious email senders who are using anonymous proxies to disguise their activities. Here's a simple breakdown of what the query does:

  1. Data Source: The query is analyzing data from the CloudAppEvents table, which logs various events related to cloud applications.

  2. Filter for Anonymous Proxies: It first filters the events to only include those where the IsAnonymousProxy field is set to 1, indicating that the event involves an anonymous proxy.

  3. Focus on Exchange Application: It further narrows down the events to those related to the "Exchange" application, which is commonly associated with email services.

  4. Specific Action Type: The query looks for events where the ActionType contains "TIMailData-Inline", which likely refers to inline email data actions.

  5. Delivered Emails: It filters for emails that have a DeliveryAction of "Delivered", meaning the emails were successfully sent to the recipient.

  6. Projection of Relevant Fields: Finally, it selects and displays specific fields from the filtered events:

    • IPAddress: The IP address from which the event originated.
    • CountryCode: The country code associated with the IP address.
    • City: The city associated with the IP address.
    • ISP: The Internet Service Provider associated with the IP address.
    • RawEventData.Subject: The subject of the email.
    • RawEventData.P2Sender: The sender of the email.
    • RawEventData.DeliveryAction: The delivery action taken on the email.
    • RawEventData.Verdict: The verdict or classification of the email (e.g., spam, clean).
    • ActionType: The type of action recorded in the event.
    • Application: The application involved in the event.

In summary, this query is used to identify and gather information about emails sent through anonymous proxies via the Exchange application, focusing on those that were successfully delivered. This can help in detecting and investigating potentially malicious activities by "GhostHackers" who attempt to hide their identity using proxies.

Details

Sergio Albea profile picture

Sergio Albea

Released: December 26, 2024

Tables

CloudAppEvents

Keywords

CloudAppEventsIPAddressCountryCodeCityISPSubjectP2SenderDeliveryActionVerdictActionTypeApplication

Operators

wherecontainsproject

Actions