Adversaries may leverage Exchange servers to exfiltrate data by exploiting web paths associated with the email application, as indicated by T1190. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential data exfiltration attempts that evade traditional detection methods.
KQL Query
W3CIISLog
| where csUriStem has_any("/owa/auth/", "/ecp/healthcheck.htm", "/ews/exchange.asmx")
| summarize by computer=tolower(Computer)
| join kind=leftouter (
SecurityAlert
| extend alertData = parse_json(Entities)
| mvexpand alertData
| where alertData.Type == "host"
| extend computer = iff(isnotempty(alertData.DnsDomain), tolower(strcat(tostring(alertData.HostName), "." , tostring(alertData.DnsDomain))),tolower(tostring(alertData.HostName)))
| summarize Alerts=dcount(SystemAlertId), AlertTimes=make_list(TimeGenerated), AlertNames=make_list(AlertName) by computer
) on computer
| project ExchangeServer=computer, Alerts, AlertTimes, AlertNames
id: 84026aa0-7020-45d0-9f85-d526e43de2ab
name: Exchange Servers and Associated Security Alerts
description: |
'This query will dynamically identify Exchange servers using common web paths used by the application in the csUriStem. The query
will then collect MDE alerts from the SecurityAlert table using the identified Exchange Server hostnames.'
requiredDataConnectors:
- connectorId: AzureMonitor(IIS)
dataTypes:
- W3CIISLog
- connectorId: MicrosoftDefenderAdvancedThreatProtection
dataTypes:
- SecurityAlert (MDATP)
tactics:
- InitialAccess
relevantTechniques:
- T1190
tags:
- Exchange
query: |
W3CIISLog
| where csUriStem has_any("/owa/auth/", "/ecp/healthcheck.htm", "/ews/exchange.asmx")
| summarize by computer=tolower(Computer)
| join kind=leftouter (
SecurityAlert
| extend alertData = parse_json(Entities)
| mvexpand alertData
| where alertData.Type == "host"
| extend computer = iff(isnotempty(alertData.DnsDomain), tolower(strcat(tostring(alertData.HostName), "." , tostring(alertData.DnsDomain))),tolower(tostring(alertData.HostName)))
| summarize Alerts=dcount(SystemAlertId), AlertTimes=make_list(TimeGenerated), AlertNames=make_list(AlertName) by computer
) on computer
| project ExchangeServer=computer, Alerts, AlertTimes, AlertNames
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: ExchangeServer| Sentinel Table | Notes |
|---|---|
SecurityAlert | Ensure this data connector is enabled |
W3CIISLog | Ensure this data connector is enabled |
Scenario: Scheduled Exchange Backup Job
Description: A legitimate scheduled backup job runs on an Exchange server, triggering a security alert due to the presence of a web path associated with Exchange.
Filter/Exclusion: Use the process.name field to exclude known backup tools like VeeamBackup.exe or SymantecBackup.exe.
Scenario: Admin Task – Exchange PowerShell Cmdlets
Description: An administrator runs a PowerShell script to manage Exchange mailbox quotas or user permissions, which may trigger alerts due to the use of Exchange-related web paths.
Filter/Exclusion: Filter by process.name to exclude powershell.exe when executed by a known admin account or with specific command-line arguments like -Command.
Scenario: Exchange Online Protection (EOP) Scan Job
Description: A Microsoft Exchange Online Protection (EOP) scan job is running, which may generate alerts due to its interaction with Exchange web paths.
Filter/Exclusion: Use the process.name field to exclude msol.exe or ExchangeOnlineProtection.exe, or check the user.domain field to identify Microsoft services.
Scenario: Exchange Web Services (EWS) API Usage
Description: A legitimate application or service uses the Exchange Web Services (EWS) API to sync emails or calendar data, which may trigger alerts due to the use of Exchange-related URLs.
Filter/Exclusion: Filter by csUriStem to exclude known EWS endpoints like /EWS/Exchange.asmx or /EWS/ExchangeServicesv12.asmx.
Scenario: Exchange Server Maintenance Task
Description: A maintenance task such as mailbox defragmentation or database cleanup is running on an Exchange server, which may trigger alerts due to the presence of Exchange web paths in the logs.
*Filter