The message's first stop was the Exchange Online environment of Piesec Corp. In this first season os Spoors, we will not focus on the Exchange Online Protection features or the Microsoft Defender for Office features. So this is somewhat a special episode as in this one, we will look at some of the advanced hunting tables available in the Defender 365 portal.
The investigation could have started from different angles. Here are some examples:
- The user reported the email. So we start with the
Message-ID(the default reporting options are allowing the user the report the message as a Phishing attempt. Which the message is not, but at least it would bring awareness of the email to the administrators). - We could have spotted weird things being created from an Excel file
Ahah-Macro.xlsmand look for mail attachment containing the name or the hash of that file.
If we have the identifier of the message we can look for it in the Advanced Audit logs in the compliance center, from the OfficeActivity table in Sentinel or the activity section in MCAS if it was configured to get the Exchange Online activity.
Yes. Something along these lines:
EmailEvents
| where InternetMessageId == "<CB2JGuLmZuoy2POL9MECf_KLtKDZWrOKHay-yHd5IMy4k6rN_Fu1K-UgMw3QqwlgvUOQucPivQiww86AjmPXl6xgbbL681C98rFPMJU3qbw=@protonmail.com>"
| join kind=leftouter (
EmailAttachmentInfo
) on NetworkMessageId
| project Timestamp, SenderFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, FileName, FileSize, SHA256
Will return:
| Timestamp | SenderFromAddress | RecipientEmailAddress | Subject | DeliveryAction | DeliveryLocation | FileName | FileSize | SHA256 |
|---|---|---|---|---|---|---|---|---|
| Oct 24, 2021 9:36:58 PM | piaudonn@protonmail.com | verena@piesec.ca | 🎯 Will you open it pretttttty please? | Delivered | Inbox/folder | Ahah-Macro.xlsm | 14321 | 6a45af8da733df25c8625caa983d9c6e60b197b701ab5b369d30f596cf394ca4 |
If we have the name Ahah-Macro.xlsmAhah-Macro.xlsm or the SHA256 hash 6a45af8da733df25c8625caa983d9c6e60b197b701ab5b369d30f596cf394ca4 we can check where it got delivered with:
EmailAttachmentInfo
| where FileName =~ "Ahah-Macro.xlsm" or SHA256 == "6a45af8da733df25c8625caa983d9c6e60b197b701ab5b369d30f596cf394ca4"
| join kind=leftouter (
EmailEvents
) on NetworkMessageId
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, FileName, FileSize, SHA256
Will return:
| Timestamp | SenderFromAddress | RecipientEmailAddress | Subject | DeliveryAction | DeliveryLocation | FileName | FileSize | SHA256 |
|---|---|---|---|---|---|---|---|---|
| Oct 24, 2021 9:37:29 PM | piaudonn@protonmail.com | bob@piesec.ca | 🎯 Will you open it pretttttty please? | Delivered | Inbox/folder | Ahah-Macro2.xlsm | 14321 | 6a45af8da733df25c8625caa983d9c6e60b197b701ab5b369d30f596cf394ca4 |
| Oct 24, 2021 9:36:58 PM | piaudonn@protonmail.com | verena@piesec.ca | 🎯 Will you open it please? | Delivered | Inbox/folder | Ahah-Macro.xlsm | 14321 | 6a45af8da733df25c8625caa983d9c6e60b197b701ab5b369d30f596cf394ca4 |
We can see that bob too has received the message. And we can also see that although the file name is different (Ahah-Macro2.xlsm instead of Ahah-Macro.xlsm) the hash is the same.
We can see at least two recipients received the message. But have they read it? The next request is querying the OfficeActivity from Microsoft Sentinel to determine if the mail was opened.
OfficeActivity
| where Folders contains "<CB2JGuLmZuoy2POL9MECf_KLtKDZWrOKHay-yHd5IMy4k6rN_Fu1K-UgMw3QqwlgvUOQucPivQiww86AjmPXl6xgbbL681C98rFPMJU3qbw=@protonmail.com>"
| project TimeGenerated, Operation, UserId, MailboxGuid
Will return:
| TimeGenerated | Operation | Operation | UserId | MailboxGuid |
|---|---|---|---|---|
| 10/25/2021, 3:40:03.000 AM | MailItemsAccessed | verena@piesec.ca | d71c21e3-7351-4374-8112-f0b355316a5b |
So we can see that Verena has seen the message. And that Bob has not. We can't know if the attachement was downloaded in our case.
If we have eyes on the devices, we could see the file being written on the disk. Interresting fact, with the Outlook client it seems that the attachement get written on the disk even if the user doesn't click save. When the user selects the attachement and clicks and then sees this:
The file is written on the disk in the path defined here: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder which by default seems to be the following path: C:\Users\<USER>\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\<SOME RANDOM STRING>\.
Here are the message headers:
Received: from YQBPR0101MB4507.CANPRD01.PROD.OUTLOOK.COM
(2603:10b6:c01:16::20) by YT1PR01MB3212.CANPRD01.PROD.OUTLOOK.COM with HTTPS;
Fri, 27 Aug 2021 14:13:40 +0000
Received: from CH2PR16CA0018.namprd16.prod.outlook.com (2603:10b6:610:50::28)
by YQBPR0101MB4507.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c01:16::20) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4457.17; Fri, 27 Aug
2021 14:13:39 +0000
Received: from TO1CAN01FT013.eop-CAN01.prod.protection.outlook.com
(2603:10b6:610:50:cafe::b8) by CH2PR16CA0018.outlook.office365.com
(2603:10b6:610:50::28) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4457.19 via Frontend
Transport; Fri, 27 Aug 2021 14:13:38 +0000
Authentication-Results: spf=pass (sender IP is 185.70.40.132)
smtp.mailfrom=protonmail.com; piesec.ca; dkim=pass (signature was verified)
header.d=protonmail.com;piesec.ca; dmarc=pass action=none
header.from=protonmail.com;compauth=pass reason=100
Received-SPF: Pass (protection.outlook.com: domain of protonmail.com
designates 185.70.40.132 as permitted sender)
receiver=protection.outlook.com; client-ip=185.70.40.132;
helo=mail-40132.protonmail.ch;
Received: from mail-40132.protonmail.ch (185.70.40.132) by
TO1CAN01FT013.mail.protection.outlook.com (10.152.122.97) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.4457.17 via Frontend Transport; Fri, 27 Aug 2021 14:13:38 +0000
Date: Fri, 27 Aug 2021 14:13:36 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
s=protonmail; t=1630073616;
bh=VEhJ3zPZH28J4o3XjLFPxgc1SM55McMhM/XoYjzlqiw=;
h=Date:To:From:Reply-To:Subject:From;
b=Hv7EzcUgH8bcshJnYAqQrE36qLzUQslvxg7KhyqJ0Rqv62Zz6BNKc/986D1daZyQi
M/LWPKXNJiqIgTi447X/YLfiRdem4lvzbWbt7B3WgysDWfK5h5mCAQpCP7IoVUDEMB
rz5+XH3hhADj3J2l4JPYZtQoAxfFKAx5K1gHuFjs=
To: "verena@piesec.ca" <verena@piesec.ca>
From: =?utf-8?B?8J+lpw==?= <piaudonn@protonmail.com>
Reply-To: =?utf-8?B?8J+lpw==?= <piaudonn@protonmail.com>
Subject: =?utf-8?Q?=F0=9F=8E=AF_Will_you_open_it_please=3F?=
Message-ID: <CB2JGuLmZuoy2POL9MECf_KLtKDZWrOKHay-yHd5IMy4k6rN_Fu1K-UgMw3QqwlgvUOQucPivQiww86AjmPXl6xgbbL681C98rFPMJU3qbw=@protonmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="b1_0Pq6VzmQxDxplrTZe62VRMSkf6Uk6Xoa4pCBkYcU1M"
X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE
shortcircuit=no autolearn=disabled version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
mailout.protonmail.ch
Return-Path: piaudonn@protonmail.com
X-MS-Exchange-Organization-ExpirationStartTime: 27 Aug 2021 14:13:38.6946
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
91acff0b-d876-4c5a-9273-08d96964ddb5
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 550a9b78-cb2e-43e0-9c5b-db194784b875:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-Exchange-Organization-AuthSource:
TO1CAN01FT013.eop-CAN01.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Office365-Filtering-Correlation-Id: 91acff0b-d876-4c5a-9273-08d96964ddb5
X-MS-TrafficTypeDiagnostic: YQBPR0101MB4507:
X-MS-Exchange-AtpMessageProperties: SA|SL
X-MS-PublicTrafficType: Email
X-MS-Exchange-Organization-SafeAttachmentProcessing:
X-MS-Oob-TLC-OOBClassifiers: OLM:1728;
X-MS-Exchange-Organization-ACSExecutionContext: 08/27/2021 14:13:39;08/27/2021
14:13:39;DropDueToAllKnownVerdict;SC;S;0;01/01/0001 00:00:00;0|0|0|0|;
X-MS-Exchange-Organization-SCL: 1
X-Microsoft-Antispam: BCL:0;
X-Forefront-Antispam-Report:
CIP:185.70.40.132;CTRY:CH;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail-40132.protonmail.ch;PTR:mail-40132.protonmail.ch;CAT:NONE;SFS:(4636009)(1096003)(6512007)(2616005)(36736006)(85182001)(166002)(7596003)(3450700001)(118246002)(33964004)(356005)(336012)(6486002)(2160300002)(6916009)(7636003)(6506007)(5660300002)(956004)(58800400005)(26005)(86362001)(36756003)(564344004)(99400200001);DIR:INB;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Aug 2021 14:13:38.4377
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 91acff0b-d876-4c5a-9273-08d96964ddb5
X-MS-Exchange-CrossTenant-Id: 550a9b78-cb2e-43e0-9c5b-db194784b875
X-MS-Exchange-CrossTenant-AuthSource:
TO1CAN01FT013.eop-CAN01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQBPR0101MB4507
X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.5924616
X-MS-Exchange-Processed-By-BccFoldering: 15.20.4457.023
X-Microsoft-Antispam-Mailbox-Delivery:
ucf:0;jmr:0;auth:0;dest:I;ENG:(20160514016)(750129)(520011016)(944506458)(944626604);
X-Microsoft-Antispam-Message-Info:
=?us-ascii?Q?9R+E0iobsMjQXXy/IURZemOoURWfc2KZP5smk93zjbvKn7l7+uk+fs9AnVJa?=
...
X-MS-Exchange-Safelinks-Url-KeyVer: 1