LoFP LoFP / users or processes that are send a large number of attachments may trigger this alert, adjust thresholds accordingly.

Techniques

Sample rules

O365 Email Send Attachments Excessive Volume

Description

The following analytic identifies when an O365 email account sends an excessive number of email attachments to external recipients within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to exfiltrate data from the mailbox. Threat actors may attempt to transfer data through email as a simple means of exfiltration from the compromised mailbox. Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors.

Detection logic

`o365_messagetrace` Status=Delivered

| eval mailtime = _time

| bin _time span=1hr

| eval user = lower(SenderAddress), recipient = lower(RecipientAddress)

| eval InternetMessageId = lower(MessageId)

| join InternetMessageId, user, _time max=0
  [
  
| search `o365_management_activity` Workload=Exchange Operation IN ("Send","SendAs","SendOnBehalf") 
  
| eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; "))), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)), InternetMessageId = lower('Item.InternetMessageId')
  
| bin _time span=1hr
  
| eval file_name = mvfilter(NOT match(file_name, "\.jpg 
|\.png 
|\.jpeg 
|\.gif "))
  
| search file_name=*
  
| stats values(sender) as sender, values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Operation) as signature, values(file_name) as file_name, sum(file_size) as file_size, values(Folder.Path) as file_path, min(-time) as firstTime, max(-time) as lastTime, dc(file_name) as count by _time,user,InternetMessageId
  
| where count > 25
  
| eval file_name = mvjoin(file_name,"
|
|")
  ]

| eval file_name = split(file_name,"
|
|")

| stats values(sender) as sender, values(recipient) as recipient, values(http_user_agent) as http_user_agent, values(signature) as signature, values(file_name) as file_name, max(file_size) as file_size, min(firstTime) as firstTime, max(lastTime) as lastTime max(count) as count by subject,user,Organization,InternetMessageId

| eval recipient = mvmap(recipient, if(match(mvindex(split(lower(recipient),"@"),1),mvindex(split(lower(user),"@"),1)), null(),recipient))

| search recipient = *

| `security_content_ctime(firstTime)` 

| `security_content_ctime(lastTime)`

| `o365_email_send_attachments_excessive_volume_filter`