Adversaries may leverage an SSRF vulnerability in Exchange servers to exfiltrate data or establish internal network access via the Autodiscover service, using proxy mechanisms to bypass network defenses. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential proxyShell exploitation attempts before they lead to data exfiltration or lateral movement.
KQL Query
let successCodes = dynamic([200, 302, 401]);
W3CIISLog
| where scStatus has_any (successCodes)
| where ipv4_is_private(cIP) == False
| where csUriStem hasprefix "/autodiscover/autodiscover.json"
| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri
| where (csUriQuery !has "Protocol" and isnotempty(csUriQuery))
or (csUriQuery has_any("/mapi/", "powershell"))
or (csUriQuery contains "@" and csUriQuery matches regex @"\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\/)")
or (csUriQuery contains ":" and csUriQuery matches regex @"\:[0-9]{2,4}\/")
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(csUserName, "@")[0]), AccountUPNSuffix = tostring(split(csUserName, "@")[1])
id: 968358d6-6af8-49bb-aaa4-187b3067fb95
name: Exchange SSRF Autodiscover ProxyShell - Detection
description: |
'This query looks for suspicious request patterns to Exchange servers that fit patterns recently blogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange which eventually allows the attacker to execute arbitrary Powershell on the server.
In the example powershell can be used to write an email to disk with an encoded attachment containing a shell.
Reference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1'
severity: High
requiredDataConnectors:
- connectorId: AzureMonitor(IIS)
dataTypes:
- W3CIISLog
queryFrequency: 12h
queryPeriod: 12h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
query: |
let successCodes = dynamic([200, 302, 401]);
W3CIISLog
| where scStatus has_any (successCodes)
| where ipv4_is_private(cIP) == False
| where csUriStem hasprefix "/autodiscover/autodiscover.json"
| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri
| where (csUriQuery !has "Protocol" and isnotempty(csUriQuery))
or (csUriQuery has_any("/mapi/", "powershell"))
or (csUriQuery contains "@" and csUriQuery matches regex @"\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\/)")
or (csUriQuery contains ":" and csUriQuery matches regex @"\:[0-9]{2,4}\/")
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(csUserName, "@")[0]), AccountUPNSuffix = tostring(split(csUserName, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: csUserName
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: Computer
- entityType: IP
fieldMappings:
- identifier: Address
columnName: cIP
- entityType: AzureResource
fieldMappings:
- identifier: ResourceId
columnName: _ResourceId
version: 1.0.3
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Thomas McElroy
support:
tier: Community
categories:
domains: [ "Security - Others" ]| Sentinel Table | Notes |
|---|---|
W3CIISLog | Ensure this data connector is enabled |
Scenario: Admin Performing Scheduled Job to Autodiscover Mailboxes
Description: An administrator is using the Test-ExchangeMailbox PowerShell cmdlet to verify mailbox configurations, which can trigger the same request patterns as an exploit.
Filter/Exclusion: Exclude requests originating from known administrative PowerShell scripts or processes, such as powershell.exe with Test-ExchangeMailbox in the command line.
Scenario: Internal Tool for Email Connectivity Testing
Description: A legitimate internal tool like Test-Connectivity.ps1 or ExchangeConnectivityTest.exe is used to validate email server configurations, which may mimic the exploit’s request patterns.
Filter/Exclusion: Exclude traffic from known internal testing tools or IP ranges used by the organization’s internal DevOps or IT teams.
Scenario: Proxy Server or Load Balancer Performing Autodiscover Requests
Description: A proxy or load balancer (e.g., F5 BIG-IP, NGINX, or Azure Front Door) is making an Autodiscover request to validate DNS records or proxy settings.
Filter/Exclusion: Exclude traffic from known proxy or load balancer IP addresses, or filter by source IP ranges used by the organization’s infrastructure.
Scenario: User-Initiated Autodiscover for Email Client Configuration
Description: A user is configuring their email client (e.g., Outlook) and the client automatically performs an Autodiscover request to the Exchange server.
Filter/Exclusion: Exclude requests with user-agent strings typical of email clients (e.g., Microsoft-Server-ActiveSync, Outlook/16.0) or filter by user accounts with known legitimate Autodiscover access.
Scenario: Exchange Management Shell (EMS) Task for Mailbox Configuration
Description: An Exchange administrator is