Attackers may be leveraging a vulnerability in the Unified Messaging (UM) service to execute arbitrary code, as indicated by suspicious error logs associated with T1190. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise of Exchange servers before further exploitation occurs.
KQL Query
Event
| where EventLog =~ "Application"
| where Source startswith "MSExchange"
| where EventLevelName =~ "error"
| where (RenderedDescription startswith "Watson report" and RenderedDescription contains "umworkerprocess" and RenderedDescription contains "TextFormattingRunProperties") or RenderedDescription startswith "An unhandled exception occurred in a UM worker process" or RenderedDescription startswith "The Microsoft Exchange Unified Messaging service" or RenderedDescription contains "MSExchange Unified Messaging"
| where RenderedDescription !contains "System.OutOfMemoryException"
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex
id: 0625fcce-6d52-491e-8c68-1d9b801d25b9
name: Silk Typhoon Suspicious UM Service Error
description: |
'This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service.
Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
severity: Low
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
query: |
Event
| where EventLog =~ "Application"
| where Source startswith "MSExchange"
| where EventLevelName =~ "error"
| where (RenderedDescription startswith "Watson report" and RenderedDescription contains "umworkerprocess" and RenderedDescription contains "TextFormattingRunProperties") or RenderedDescription startswith "An unhandled exception occurred in a UM worker process" or RenderedDescription startswith "The Microsoft Exchange Unified Messaging service" or RenderedDescription contains "MSExchange Unified Messaging"
| where RenderedDescription !contains "System.OutOfMemoryException"
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: Computer
- identifier: HostName
columnName: HostName
- identifier: NTDomain
columnName: HostNameDomain
version: 1.0.4
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft Security Research
support:
tier: Community
categories:
domains: [ "Security - Threat Intelligence" ]Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a maintenance script that temporarily causes a UM service error due to resource contention.
Filter/Exclusion: process.name != "schtasks.exe" OR process.name != "taskhost.exe"
Scenario: Microsoft Update Installation
Description: A Windows Update installation triggers a UM service error as part of the system update process.
Filter/Exclusion: process.name != "wusa.exe" OR event_id != 6008
Scenario: Admin Performing User Management via PowerShell
Description: An admin uses PowerShell to modify user accounts or groups, which may temporarily disrupt the UM service.
Filter/Exclusion: process.name != "powershell.exe" OR user.name != "Domain\Administrator"
Scenario: Backup Software Performing Data Sync
Description: A backup tool like Veeam or Acronis syncs data and causes a UM service error due to high I/O activity.
Filter/Exclusion: process.name != "veeam.exe" OR process.name != "acronis.exe"
Scenario: Application Compatibility Testing
Description: A QA team runs compatibility tests using tools like AppVeyor or Azure DevOps, which may cause temporary UM service errors.
Filter/Exclusion: process.name != "appveyor.exe" OR process.name != "AzureDevOps.exe"