detect-mailsniper | SOC Hunt Feed

Hunt Hypothesis

The hunt hypothesis detects potential MailSniper activity, where an adversary leverages a compromised Exchange Server to exfiltrate data or deploy payloads through email. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threat (APT) campaigns targeting email infrastructure.

KQL Query

let dateRange = ago(10d);
//
let whoamiProcess = DeviceProcessEvents
| where ProcessCreationTime >= dateRange
| where FileName =~ 'whoami.exe' and InitiatingProcessParentFileName =~ 'powershell.exe'
| project DeviceId, whoamiTime = ProcessCreationTime, whoamiProcessName = FileName, 
whoamiParentName = InitiatingProcessParentFileName, whoamiParentPID = InitiatingProcessParentId;
//
let netProcess = DeviceProcessEvents 
| where ProcessCreationTime >= dateRange
| where FileName =~ 'net.exe' and InitiatingProcessParentFileName =~ 'powershell.exe'
| project DeviceId, netTime = ProcessCreationTime, ProcessCreationTime = FileName, 
netParentName = InitiatingProcessParentFileName, netParentPID = InitiatingProcessParentId;
//
let mailServerEvents = DeviceNetworkEvents
| where Timestamp >= dateRange
| where InitiatingProcessFileName =~ 'powershell.exe'
| where RemoteUrl contains 'onmicrosoft.com'
or RemoteUrl contains 'outlook.com'
| project DeviceId, mailTime = Timestamp, mailProcessName = InitiatingProcessFileName, 
mailPID = InitiatingProcessId;
//
mailServerEvents
| join netProcess on DeviceId 
| where netParentPID == mailPID and netParentName == mailProcessName 
| join whoamiProcess on DeviceId 
| where whoamiParentPID == mailPID and whoamiParentName == mailProcessName 
| where netTime < mailTime + 4h and netTime > mailTime - 4h
| where whoamiTime < mailTime + 4h and whoamiTime > mailTime - 4h
| project DeviceId, EstimatedIncidentTime = mailTime, ProcessName = mailProcessName, 
ProcessID = mailPID

Analytic Rule Definition

id: 726085be-fa36-4b0f-991a-b5bc8fe53d87
name: detect-mailsniper
description: |
  This query was originally published in the threat analytics report, MailSniper Exchange attack tool.
  MailSniper is a tool that targets Microsoft Exchange Server. The core function is to connect to Exchange Server and search through emails. In support of this, it can perform reconnaissance, collection, exfiltration, and credential theft. MailSniper is used both by red teams running penetration tests, and by malicious actors.
  Microsoft Defender Security Center may record the following alerts during and after an attack:
  1. Global mail search on Exchange using MailSniper
  2. Exchange mailbox or mail folder search using MailSniper
  3. Enumeration of Active Directory usernames using MailSniper
  4. Enumeration of the Exchange GAL using MailSniper
  5. Access to Exchange inboxes using MailSniper
  6. Password spraying using MailSniper
  7. Enumeration of domains and user accounts using MailSniper
  The following query detects activity commonly associated with attacks run with MailSniper.
  Reference - https://github.com/dafthack/MailSniper
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
  - DeviceNetworkEvents
tactics:
- Initial access
- Credential Access
- Collection
- Exfiltration
query: |
  let dateRange = ago(10d);
  //
  let whoamiProcess = DeviceProcessEvents
  | where ProcessCreationTime >= dateRange
  | where FileName =~ 'whoami.exe' and InitiatingProcessParentFileName =~ 'powershell.exe'
  | project DeviceId, whoamiTime = ProcessCreationTime, whoamiProcessName = FileName, 
  whoamiParentName = InitiatingProcessParentFileName, whoamiParentPID = InitiatingProcessParentId;
  //
  let netProcess = DeviceProcessEvents 
  | where ProcessCreationTime >= dateRange
  | where FileName =~ 'net.exe' and InitiatingProcessParentFileName =~ 'powershell.exe'
  | project DeviceId, netTime = ProcessCreationTime, ProcessCreationTime = FileName, 
  netParentName = InitiatingProcessParentFileName, netParentPID = InitiatingProcessParentId;
  //
  let mailServerEvents = DeviceNetworkEvents
  | where Timestamp >= dateRange
  | where InitiatingProcessFileName =~ 'powershell.exe'
  | where RemoteUrl contains 'onmicrosoft.com'
  or RemoteUrl contains 'outlook.com'
  | project DeviceId, mailTime = Timestamp, mailProcessName = InitiatingProcessFileName, 
  mailPID = InitiatingProcessId;
  //
  mailServerEvents
  | join netProcess on DeviceId 
  | where netParentPID == mailPID and netParentName == mailProcessName 
  | join whoamiProcess on DeviceId 
  | where whoamiParentPID == mailPID and whoamiParentName == mailProcessName 
  | where netTime < mailTime + 4h and netTime > mailTime - 4h
  | where whoamiTime < mailTime + 4h and whoamiTime > mailTime - 4h
  | project DeviceId, EstimatedIncidentTime = mailTime, ProcessName = mailProcessName, 
  ProcessID = mailPID

Required Data Sources

Sentinel Table	Notes
`DeviceNetworkEvents`	Ensure this data connector is enabled
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Initial access
Tactic: Credential Access
Tactic: Collection
Tactic: Exfiltration

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Initial access/detect-mailsniper.yaml)

False Positive Guidance

Scenario: Scheduled mailbox backup job
Description: A legitimate scheduled job runs to back up user mailboxes, which may involve connecting to Exchange servers and performing similar network activity to MailSniper.
Filter/Exclusion: Check for the presence of known backup tools (e.g., Veeam, CommCell, Microsoft Data Protection Manager) or filter by job names containing “backup” or “restore”.
Scenario: Admin task to move mailboxes between databases
Description: An administrator is moving mailboxes between Exchange databases, which can involve connecting to Exchange servers and using similar protocols as MailSniper.
Filter/Exclusion: Filter by user accounts with administrative privileges (e.g., CN=Administrator,CN=Users,DC=example,DC=com) or check for the presence of Move-Mailbox or New-MoveRequest PowerShell commands.
Scenario: Exchange Online Protection (EOP) service health check
Description: A health check or diagnostic tool used by Microsoft or third-party providers to monitor Exchange Online services may connect to Exchange servers in a manner similar to MailSniper.
Filter/Exclusion: Filter by IP ranges associated with Microsoft services or check for known EOP diagnostic tools (e.g., Microsoft Online Services Health).
Scenario: PowerShell script for email archiving
Description: A custom PowerShell script used for email archiving may connect to Exchange servers and perform actions that resemble MailSniper’s behavior.
Filter/Exclusion: Filter by scripts containing keywords like “archive”, “move”, or “export”, or check for the presence of known archiving tools (e.g., Mimecast, Proofpoint).
Scenario: Exchange PowerShell remote management session
Description: An administrator may establish a remote PowerShell session to manage Exchange servers, which can involve similar network