Email data exfiltration via PowerShell

Hunt Hypothesis

Adversaries may use PowerShell to exfiltrate sensitive data via email, leveraging script-based automation to bypass traditional email security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate data exfiltration attempts that evade standard monitoring and filtering mechanisms.

KQL Query

DeviceProcessEvents 
| where FileName =~ 'powershell.exe' 
| where ProcessCommandLine has_all('Add-PSSnapin', 'Get-Recipient', '-ExpandProperty', 'EmailAddresses', 'SmtpAddress', '-hidetableheaders')

Analytic Rule Definition

id: 1115e499-45a0-470c-b0ec-e2f204831341
name: Email data exfiltration via PowerShell
description: |
  Identify email exfiltration conducted by PowerShell.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Exfiltration
query: |   
  DeviceProcessEvents 
  | where FileName =~ 'powershell.exe' 
  | where ProcessCommandLine has_all('Add-PSSnapin', 'Get-Recipient', '-ExpandProperty', 'EmailAddresses', 'SmtpAddress', '-hidetableheaders')

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Exfiltration

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Ransomware/DEV-0270/Email data exfiltration via PowerShell.yaml)

False Positive Guidance

Scenario: Scheduled System Maintenance Task Using PowerShell
Description: A legitimate scheduled task runs PowerShell scripts to perform system updates or maintenance.
Filter/Exclusion: Check for Task Scheduler or schtasks.exe in the process tree, or filter by known maintenance script names like Update-System.ps1.
Scenario: Admin Performing Email Backup via PowerShell
Description: An administrator uses PowerShell to back up email data to a secure internal server.
Filter/Exclusion: Include checks for internal IP ranges, internal DNS domains, or known backup tools like Exchange Online PowerShell or PowerShell DSC.
Scenario: PowerShell Script for Email Reporting
Description: A script runs daily to generate email usage reports and send them to a central mailbox.
Filter/Exclusion: Filter by sender email addresses associated with reporting tools (e.g., [email protected]) or check for Send-MailMessage with internal SMTP servers.
Scenario: PowerShell Module Load for Email Integration
Description: A PowerShell module is loaded to integrate with an email system (e.g., Microsoft Exchange) for automation.
Filter/Exclusion: Check for module names like ExchangeOnlineManagement or Microsoft.Exchange, or verify the script is signed by a trusted publisher.
Scenario: User-Driven Email Forwarding via PowerShell
Description: A user script forwards emails to a personal account for personal use (e.g., archiving).
Filter/Exclusion: Filter by user-specific email addresses, or check for Forward or Move actions with known personal domains.