Silk Typhoon actors may exfiltrate data by sending suspicious HTTP requests to Exchange servers with specific URL patterns. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential data exfiltration attempts early.
KQL Query
let exchange_servers = (
W3CIISLog
| where TimeGenerated > ago(14d)
| where sSiteName =~ "Exchange Back End"
| summarize by Computer);
W3CIISLog
| where TimeGenerated > ago(1d)
| where Computer in (exchange_servers)
| where csUriQuery startswith "t="
| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(csUserName, "@")[0]), AccountUPNSuffix = tostring(split(csUserName, "@")[1])
id: 23005e87-2d3a-482b-b03d-edbebd1ae151
name: Silk Typhoon Suspicious Exchange Request
description: |
'This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by Silk Typhoon actors.
The same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.
Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
severity: Medium
requiredDataConnectors:
- connectorId: AzureMonitor(IIS)
dataTypes:
- W3CIISLog
queryFrequency: 1d
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
query: |
let exchange_servers = (
W3CIISLog
| where TimeGenerated > ago(14d)
| where sSiteName =~ "Exchange Back End"
| summarize by Computer);
W3CIISLog
| where TimeGenerated > ago(1d)
| where Computer in (exchange_servers)
| where csUriQuery startswith "t="
| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(csUserName, "@")[0]), AccountUPNSuffix = tostring(split(csUserName, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: csUserName
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: Computer
- identifier: HostName
columnName: HostName
- identifier: NTDomain
columnName: HostNameDomain
- entityType: IP
fieldMappings:
- identifier: Address
columnName: cIP
version: 1.0.3
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft Security Research
support:
tier: Community
categories:
domains: [ "Security - Threat Intelligence" ]| Sentinel Table | Notes |
|---|---|
W3CIISLog | Ensure this data connector is enabled |
Scenario: Scheduled Exchange Backup Job
Description: A legitimate scheduled backup job using Veeam Backup & Replication or Microsoft Azure Backup is making repeated requests to an Exchange server.
Filter/Exclusion: Check for request_uri containing /Microsoft-Server-ActiveSync or /EWS with a known backup tool’s IP or user agent.
Scenario: Admin Task - Mailbox Migration
Description: An administrator is performing a mailbox migration using Microsoft Exchange Management Shell or EMS (Exchange Management Shell), which involves multiple requests to Exchange endpoints.
Filter/Exclusion: Filter by user_agent containing “Exchange Management Shell” or source_ip matching the admin’s known IP address.
Scenario: Exchange Online PowerShell Connectivity Test
Description: A PowerShell remoting session is being used to test connectivity to Exchange Online, which may generate suspicious-looking request patterns.
Filter/Exclusion: Filter by request_method POST and request_uri containing /PowerShell or check for user_agent containing “Microsoft.Exchange.Management.PowerShell.E2010”.
Scenario: Internal Monitoring Tool Polling Exchange
Description: An internal monitoring tool like SolarWinds LEM or Splunk is polling Exchange for metrics, generating frequent and patterned requests.
Filter/Exclusion: Check for request_uri containing /ews/exchange.asmx or request_method GET with a known monitoring tool’s IP or user agent.
Scenario: Exchange ActiveSync Device Sync
Description: A mobile device is syncing with an Exchange server via Exchange ActiveSync (EAS), which can generate a high volume of small requests.
Filter/Exclusion: Filter by request_uri containing `/Microsoft-