KQL Search

Query Details

HomeAI ToolsDevice Query

Social Engineering Attack Detection

Query

// Social Engineering Attack (Mail Bomb followed by Social Engineered Call - Initial access via RMM Tool)
// https://admin.microsoft.com/?ref=MessageCenter/:/messages/MC1096885

let MailBombVictim =
EmailEvents
| where TimeGenerated > ago(1h)
| where isnotempty(DetectionMethods)
| where tostring(DetectionMethods) has "Mail Bombing"
| distinct RecipientEmailAddress;
let ApprovedRMM = dynamic("bomgarcloud.com"); // E.g Approved Corporate RMM - Whitelisting
let RMMList=externaldata(URI: string, RMMTool: string) // Lookup list of RMM Tools Url from Microsoft
[h'https://raw.githubusercontent.com/jischell-msft/RemoteManagementMonitoringTools/refs/heads/main/Network%20Indicators/RMM_SummaryNetworkURI.csv'];
let RMMUrl =
RMMList
| project URI;
DeviceNetworkEvents
| where TimeGenerated > ago(1h)
| where ActionType == @"ConnectionSuccess"
| where RemoteUrl has_any(RMMUrl)
| where not (RemoteUrl has_any(ApprovedRMM)) // Unauthorized Outbound RMM Tool Connection
| summarize arg_max(TimeGenerated, *) by DeviceId
| where InitiatingProcessAccountUpn has_any(MailBombVictim) // RMM Tool Connection made by Mail Bomb Victim

Explanation

This query is designed to detect a specific type of social engineering attack that involves a mail bombing followed by a social engineering call, ultimately leading to unauthorized access via a Remote Monitoring and Management (RMM) tool. Here's a simplified breakdown:

  1. Identify Mail Bomb Victims:

    • The query first identifies email recipients who have been targeted by a mail bombing attack within the last hour. This is done by filtering email events for those with a detection method labeled as "Mail Bombing" and collecting the distinct email addresses of the recipients.

  2. Approved RMM Tools:

    • It defines a list of approved RMM tools, in this case, "bomgarcloud.com," which is considered safe and whitelisted.

  3. Fetch RMM Tool URLs:

    • The query retrieves a list of known RMM tool URLs from an external source (a CSV file hosted on GitHub). This list is used to identify potential RMM tool connections.

  4. Detect Unauthorized RMM Connections:

    • It then examines network events from devices over the past hour to find successful connection attempts to any RMM tool URLs, excluding those that are approved (whitelisted).
    • The query summarizes these events to find the latest connection attempt for each device.

  5. Correlate with Mail Bomb Victims:

    • Finally, it checks if any of these unauthorized RMM tool connections were initiated by accounts associated with the mail bomb victims identified earlier.

In essence, the query aims to detect if a user who was targeted by a mail bomb attack subsequently made an unauthorized connection to an RMM tool, which could indicate a successful social engineering attack leading to unauthorized access.

Details

Steven Lim profile picture

Steven Lim

Released: June 18, 2025

Tables

EmailEventsDeviceNetworkEventsRMMList

Keywords

EmailEventsDetectionMethodsRecipientEmailAddressDeviceNetworkEventsActionTypeRemoteUrlDeviceIdInitiatingProcessAccountUpn

Operators

letEmailEvents|where>ago()isnotempty()tostring()hasdistinctdynamic()externaldata()projectDeviceNetworkEvents==summarizearg_max()bynothas_any

Actions