Listen to this Post
In today’s cybersecurity landscape, detecting suspicious activities such as unauthorized changes to Outlook inbox rules is crucial. Attackers often create inbox rules to hide their malicious activities, such as forwarding emails to external addresses. This article provides a detailed KQL (Kusto Query Language) query to detect suspicious Outlook inbox rule creations from IP addresses that are new or rarely used by the user.
KQL Query for Detecting Suspicious Outlook Inbox Rule Creations
[kql]
// Define your Organization IP Range
let OrgCIDRIPRange = “x.x.x.x/0”;
// Define excluded Countries
let ExcludedCountries = dynamic([“Switzerland”]);
let InboxRuleCreated = OfficeActivity
| where Operation in (“UpdateInboxRules”)
| mv-expand parse_json(OperationProperties)
| extend InboxOperationName = tostring(OperationProperties.Name)
| extend InboxOperationValue = tostring(OperationProperties.Value)
| where InboxOperationValue == “AddMailboxRule”
| mv-expand parse_json(AppAccessContext)
| extend UniqueTokenId = tostring(AppAccessContext.UniqueTokenId)
| extend AADSessionId = tostring(AppAccessContext.AADSessionId)
| extend ip_location = geo_info_from_ip_address(ClientIP)
| extend Country = tostring(ip_location.country)
| extend City = tostring(ip_location.city)
| where not(ipv4_is_in_range(ClientIP, OrgCIDRIPRange))
| project TimeGenerated, Operation, UserId, ClientIP, InboxOperationName, InboxOperationValue, UniqueTokenId, AADSessionId, Country, City
| summarize TimeGenerated = arg_max(TimeGenerated, *),
AccountUpn = make_set(UserId),
ClientIP = make_set(ClientIP),
InboxOperationValue = make_set(InboxOperationValue),
UniqueTokenId = make_set(UniqueTokenId),
AADSessionId = make_set(AADSessionId),
Country = make_set(Country),
City = make_set(City)
by UserId
| extend AccountUpn = tostring(AccountUpn);
let SignInEvents = InboxRuleCreated
| join kind=inner AADSignInEventsBeta on $left.UserId == $right.AccountUpn and $left.ClientIP == $right.IPAddress
| where TimeGenerated > ago(30d)
| project AccountUpn, AccountObjectId, IPAddress, TimeGenerated, TimeGenerated1, ReportId, Timestamp
| extend ip_location = geo_info_from_ip_address(IPAddress)
| extend Country = tostring(ip_location.country)
| extend City = tostring(ip_location.city)
| summarize distinct_days = dcount(startofday(TimeGenerated1)), ReportId = arg_max(ReportId, *), Timestamp = arg_max(Timestamp, *) by AccountUpn, tostring(ip_location), IPAddress;
InboxRuleCreated
| join kind=inner SignInEvents on $left.ClientIP == $right.IPAddress
| where distinct_days < 2
| where Country !in (ExcludedCountries)
| project Timestamp, AccountUpn = UserId, ClientIP, Country, City, CountLoginDays = distinct_days, ReportId
[/kql]
You Should Know:
1. Understanding the Query:
- The query starts by defining the organization’s IP range and excluded countries.
- It then filters OfficeActivity logs for operations related to updating inbox rules.
- The query expands JSON properties to extract relevant information such as the operation name, value, and user details.
- It uses geo-location data to determine the country and city of the IP address used to create the rule.
- The query then joins the results with sign-in events to identify IP addresses that are new or rarely used by the user.
2. Key Commands and Functions:
mv-expand: Expands multi-value properties into separate rows.extend: Adds new columns to the result set.geo_info_from_ip_address: Retrieves geo-location information based on the IP address.ipv4_is_in_range: Checks if an IP address falls within a specified range.join: Combines rows from two tables based on a related column.
3. Practical Steps:
- Step 1: Define your organization’s IP range and excluded countries.
- Step 2: Run the query in your KQL environment (e.g., Azure Sentinel).
- Step 3: Review the results to identify any suspicious activities.
- Step 4: Investigate any flagged activities further to determine if they are malicious.
4. Additional Resources:
What Undercode Say:
Detecting suspicious activities in your environment is a critical aspect of cybersecurity. The provided KQL query is a powerful tool for identifying unauthorized changes to Outlook inbox rules, which could indicate a potential security breach. By understanding and utilizing this query, you can enhance your organization’s security posture and respond more effectively to threats.
Expected Output:
The expected output of the query will be a list of suspicious activities, including the timestamp, user ID, client IP, country, city, and the number of days the IP address has been used. This information can be used to investigate and mitigate potential security threats.
[plaintext]
Timestamp | AccountUpn | ClientIP | Country | City | CountLoginDays | ReportId
2023-10-01T12:34:56Z | [email protected] | 192.168.1.1 | USA | New York | 1 | 12345
2023-10-02T14:56:23Z | [email protected] | 203.0.113.1 | Germany | Berlin | 1 | 67890
[/plaintext]
By following the steps and utilizing the resources provided, you can effectively monitor and respond to suspicious activities in your environment.
References:
Reported By: Benjamin Zulliger – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
