Identify unusual identity additions related to EUROPIUM

Hunt Hypothesis

The hypothesis is that an adversary is leveraging unusual identity additions via Exchange PowerShell to establish persistent access within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential compromise of user accounts and prevent lateral movement.

KQL Query

DeviceProcessEvents 
| where ProcessCommandLine has_any ("New-Mailbox","Update-RoleGroupMember") and ProcessCommandLine has "HealthMailbox55x2yq"

Analytic Rule Definition

id: 5daf2787-98b1-4c38-8487-107076a97930
name: Identify unusual identity additions related to EUROPIUM
description: |
  This query looks for identity add through exchange PowerShell
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Persistence
query: |
  DeviceProcessEvents 
  | where ProcessCommandLine has_any ("New-Mailbox","Update-RoleGroupMember") and ProcessCommandLine has "HealthMailbox55x2yq"

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Persistence

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/EUROPIUM/Identify unusual identity additions related to EUROPIUM.yaml)

False Positive Guidance

Scenario: Scheduled Job for User Provisioning
Description: A legitimate scheduled job runs PowerShell scripts to add users to the Exchange environment during regular business hours.
Filter/Exclusion: ExchangeServerName = "Exchange-Server-01" AND TimeOfDay BETWEEN '08:00' AND '18:00'
Scenario: Admin Task to Add Temporary Users
Description: An admin manually adds temporary users via PowerShell for a short-term project, which is part of standard user management.
Filter/Exclusion: UserAccountStatus = "Temporary" AND UserOU = "OU=TempUsers,DC=example,DC=com"
Scenario: Automated User Sync from AD
Description: A synchronization tool like Azure AD Connect or Microsoft Identity Manager (MIM) adds users to Exchange via PowerShell during sync cycles.
Filter/Exclusion: ProcessName = "AzureADConnect.exe" OR ProcessName = "MIMSync.exe"
Scenario: Test Environment User Creation
Description: A test user is created in a development or test environment using PowerShell, which is part of the DevOps process.
Filter/Exclusion: UserOU = "OU=Test,DC=example,DC=com" OR UserOU = "OU=Dev,DC=example,DC=com"
Scenario: Bulk User Import via CSV
Description: A script imports users from a CSV file into Exchange using PowerShell, commonly used for onboarding new employees.
Filter/Exclusion: ScriptName = "Import-Users.ps1" AND UserOU = "OU=Employees,DC=example,DC=com"