Exchange Server ProxyLogon URIs

Hunt Hypothesis

The hypothesis is that the detection identifies potential ProxyLogon exploitation attempts through suspicious URIs commonly associated with credential theft and remote code execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks that could lead to persistent access within the Exchange environment.

KQL Query


W3CIISLog
//Exclude local addresses, using the ipv4_is_private operator
| where ipv4_is_private(cIP) == false and  cIP !startswith "fe80" and cIP !startswith "::" and cIP !startswith "127."
| where (csUriStem matches regex @"\/owa\/auth\/[A-Za-z0-9]{1,30}\.js") or (csUriStem matches regex @"\/ecp\/[A-Za-z0-9]{1,30}\.(js|flt|css)")
| project TimeGenerated, sSiteName, csMethod, csUriStem, sPort, sIP, cIP, csUserAgent
| extend timestamp = TimeGenerated, IPCustomEntity = cIP

Analytic Rule Definition

id: bcbebbae-d59a-4692-b138-93434bccf3db
name: Exchange Server ProxyLogon URIs
description: |
  'This query will detect paths suspicious associated with ProxyLogon exploitation'
requiredDataConnectors:
  - connectorId: AzureMonitor(IIS)
    dataTypes:
      - W3CIISLog
tactics:
  - InitialAccess
relevantTechniques:
  - T1190
tags:
  - Exchange
query: |

  W3CIISLog
  //Exclude local addresses, using the ipv4_is_private operator
  | where ipv4_is_private(cIP) == false and  cIP !startswith "fe80" and cIP !startswith "::" and cIP !startswith "127."
  | where (csUriStem matches regex @"\/owa\/auth\/[A-Za-z0-9]{1,30}\.js") or (csUriStem matches regex @"\/ecp\/[A-Za-z0-9]{1,30}\.(js|flt|css)")
  | project TimeGenerated, sSiteName, csMethod, csUriStem, sPort, sIP, cIP, csUserAgent
  | extend timestamp = TimeGenerated, IPCustomEntity = cIP
entityMappings:
- entityType: NetworkConnection
  fieldMappings:
    - identifier: DestinationAddress
      columnName: sIP
    - identifier: DestinationPort
      columnName: sPort
    - identifier: SourceAddress
      columnName: cIP

Required Data Sources

Sentinel Table	Notes
`W3CIISLog`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1190 — T1190

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/W3CIISLog/ExchangeServerProxyLogonURI.yaml)

False Positive Guidance

Scenario: Scheduled Job for Email Archiving
Description: A legitimate scheduled job runs to archive old emails using a script that accesses /owa or /ecp endpoints.
Filter/Exclusion: process.name != "archive_script.exe" OR process.parent.name != "scheduling_service.exe"
Scenario: Admin Task for User Provisioning
Description: An admin uses the Exchange Admin Center (EAC) to create a new user, which triggers a request to /ecp or /owa.
Filter/Exclusion: process.name != "owa.exe" OR process.parent.name != "exchange_admin.exe"
Scenario: Microsoft Defender for Office 365 Integration
Description: Microsoft Defender for Office 365 periodically checks for threats and may access /owa or /ecp endpoints for policy enforcement.
Filter/Exclusion: process.name != "microsoftdefender.exe" OR process.parent.name != "exchange_online.exe"
Scenario: PowerShell Script for Mailbox Backup
Description: A PowerShell script runs to back up mailbox data using Exchange Web Services (EWS) or PowerShell cmdlets, which may access /ews or /owa.
Filter/Exclusion: process.name != "powershell.exe" OR process.parent.name != "backup_service.exe"
Scenario: Internal Monitoring Tool for Exchange Health
Description: An internal monitoring tool (e.g., SolarWinds, PRTG) checks the health of Exchange servers and accesses /owa or /ecp for status information.
Filter/Exclusion: process.name != "solarwinds.exe" OR process.parent.name != "monitoring_service.exe"