| ID | Technique | Tactic |
|---|---|---|
| T1114.001 | Local Email Collection | Collection |
| T1070.008 | Clear Mailbox Data | Defense Evasion |
| T1485 | Data Destruction | Impact |
Detection: O365 Email Send and Hard Delete Exfiltration Behavior
Description
The following analytic identifies when an O365 email account sends and then hard deletes an email to an external recipient within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to remove forensic artifacts or evidence of exfiltration activity. This behavior is often seen when threat actors want to reduce the probability of detection by the compromised account owner.
Search
1`o365_messagetrace` Status=Delivered
2
3| eval mailtime = _time
4
5| bin _time span=1hr
6
7| eval user = lower(SenderAddress), recipient = lower(RecipientAddress)
8
9| eval InternetMessageId = lower(MessageId)
10
11| join InternetMessageId, user, max=0
12 [
13
14| search `o365_management_activity` Workload=Exchange (Operation IN ("Send*")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions"))
15
16| eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)), InternetMessageId = lower('Item.InternetMessageId')
17
18| eval sendtime = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),_time)
19
20| eval deltime = CASE(Operation IN ("SoftDelete","HardDelete"),_time)
21
22| bin _time span=1hr
23
24| stats values(sender) as sender, values(ClientInfoString) as http_user_agent, values(InternetMessageId) as InternetMessageId, values(file_name) as file_name, sum(file_size) as file_size, values(sendtime) as firstTime, values(deltime) as lastTime values(Operation) as signature, dc(Operation) as opcount, count by _time,subject,user
25
26| where opcount > 1 AND firstTime < lastTime
27 ]
28
29| stats values(sender) as sender, values(http_user_agent) as http_user_agent, values(signature) as signature, values(file_name) as file_name, sum(file_size) as file_size, min(firstTime) as firstTime, max(lastTime) as lastTime count by subject,user,recipient,Organization
30
31| eval externalRecipient = if(match(lower(recipient),mvindex(split(lower(Organization),"."),0)),0,1)
32
33| where externalRecipient = 1
34
35| `security_content_ctime(firstTime)`
36
37| `security_content_ctime(lastTime)`
38
39| `o365_email_send_and_hard_delete_exfiltration_behavior_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Office 365 Reporting Message Trace | N/A | 'o365:reporting:messagetrace' |
'o365' |
| Office 365 Universal Audit Log | N/A | 'o365:management:activity' |
'o365' |
Macros Used
| Name | Value |
|---|---|
| o365_management_activity | sourcetype=o365:management:activity |
| o365_email_send_and_hard_delete_exfiltration_behavior_filter | search * |
o365_email_send_and_hard_delete_exfiltration_behavior_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Actions on Objectives
Exploitation
DE.AE
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events AND Message Trace events.
Known False Positives
Users that habitually/proactively cleaning the recoverable items folder may trigger this alert.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
The user $user$ sent and hard deleted an email to an external recipient [$recipient$] within a short timeframe
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| recipient | user | 40 | subject |
| user | user | 40 | subject |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | o365 |
o365:management:activity |
| Integration | ✅ Passing | Dataset | o365 |
o365:management:activity |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1