Merge branch 'main' into deprecate-deprecated-rules

Aegrah · web-flow · commit ae876550b1b0 · 2025-06-27T10:02:19.000+02:00
diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
@@ -198,7 +198,9 @@
   },
    "logs-o365.audit-*": {
      "o365.audit.ExtendedProperties.ResultStatusDetail": "keyword",
-     "o365.audit.OperationProperties.Value": "keyword"
+     "o365.audit.OperationProperties.Name": "keyword",
+     "o365.audit.OperationProperties.Value": "keyword",
+     "o365.audit.OperationCount": "long"
   },
   "logs-okta*": {
     "okta.debug_context.debug_data.flattened.requestedScopes": "keyword",
diff --git a/hunting/cross-platform/docs/potentially_spoofed_microsoft_authentication_domain.md b/hunting/cross-platform/docs/potentially_spoofed_microsoft_authentication_domain.md
@@ -0,0 +1,69 @@
+# Potential Spoofed `microsoftonline.com` via Fuzzy Match
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** This hunting query identifies potential spoofed domain activity targeting Microsoft online services by detecting fuzzy matches to the domain `microsoftonline.com`. The approach uses approximate string matching (fuzziness) on domain and URL fields, then scores each result by similarity. A static confidence threshold is applied to filter out high-confidence legitimate matches while surfacing potential typosquats and lookalikes.
+
+This technique is useful for identifying phishing campaigns, misconfigured infrastructure, or domain squatting activity targeting Microsoft users and applications. It relies on string similarity scoring and known-good domain exclusions to reduce false positives and focus the hunt on medium- to high-risk spoofed domains.
+
+- **UUID:** `e912f5c6-eed3-11ef-a5d7-6f9f7a1e2e00`
+- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [network_traffic](https://docs.elastic.co/integrations/network_traffic), [system](https://docs.elastic.co/integrations/system), [azure](https://docs.elastic.co/integrations/azure), [o365](https://docs.elastic.co/integrations/o365), [windows](https://docs.elastic.co/integrations/windows)
+- **Language:** `[ES|QL]`
+- **Source File:** [Potential Spoofed `microsoftonline.com` via Fuzzy Match](../queries/potentially_spoofed_microsoft_authentication_domain.toml)
+
+## Query
+
+```sql
+FROM logs-* METADATA _score
+| WHERE (
+    url.domain IS NOT NULL OR
+    url.original IS NOT NULL OR
+    destination.domain IS NOT NULL OR
+    dns.question.name IS NOT NULL
+)
+| EVAL domain = COALESCE(url.domain, url.original, destination.domain, dns.question.name)::STRING
+| WHERE NOT(
+    domain RLIKE "^(login|portal|api)\\.microsoftonline\\.com$" OR
+    domain RLIKE ".*\\.onmicrosoft\\.com$" OR
+    domain == "microsoftonline.com")
+| WHERE (
+    match(url.domain, "microsoftonline.com", { "fuzziness": "AUTO", "max_expansions": 10 }) OR
+    match(url.original, "microsoftonline.com", { "fuzziness": "AUTO", "max_expansions": 10 }) OR
+    match(destination.domain, "microsoftonline.com", { "fuzziness": "AUTO", "max_expansions": 10 }) OR
+    match(dns.question.name, "microsoftonline.com", { "fuzziness": "AUTO", "max_expansions": 10 })
+)
+| EVAL confidence = CASE(
+    _score >= 5.999, "low",
+    _score > 4, "medium",
+    "high"
+)
+| WHERE confidence != "low"
+   OR domain IN ("micsrosoftonline.com", "outlook-office.micsrosoftonline.com")
+| SORT _score DESC
+| KEEP @timestamp, source.ip, user.id, domain, _score, confidence
+```
+
+## Notes
+
+- Investigate domains that resemble `microsoftonline.com` but have slight character substitutions (e.g., `micros0ftonline.com`, `m1crosoftonline.com`).
+- Fuzzy matching assigns a `_score` based on edit distance. Higher scores mean a closer match to the legitimate domain.
+- Only medium- and high-confidence results are surfaced by excluding `_score >= 6`, which usually represents exact or near-exact matches.
+- Legitimate Microsoft domains like `login.microsoftonline.com`, `portal.microsoftonline.com`, and tenant domains ending in `.onmicrosoft.com` are excluded from results to reduce noise.
+- Results are ranked by `_score DESC` and tagged with a confidence level: `low`, `medium`, or `high`.
+- This query is best used interactively during hunts and may require tuning for specific environments with high Microsoft traffic.
+
+## MITRE ATT&CK Techniques
+
+- [T1566.002](https://attack.mitre.org/techniques/T1566/002)
+- [T1583.001](https://attack.mitre.org/techniques/T1583/001)
+
+## References
+
+- https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/
+
+## License
+
+- `Elastic License v2`
diff --git a/hunting/cross-platform/queries/potentially_spoofed_microsoft_authentication_domain.toml b/hunting/cross-platform/queries/potentially_spoofed_microsoft_authentication_domain.toml
@@ -0,0 +1,56 @@
+[hunt]
+author = "Elastic"
+description = """
+This hunting query identifies potential spoofed domain activity targeting Microsoft online services by detecting fuzzy matches to the domain `microsoftonline.com`. The approach uses approximate string matching (fuzziness) on domain and URL fields, then scores each result by similarity. A static confidence threshold is applied to filter out high-confidence legitimate matches while surfacing potential typosquats and lookalikes.
+
+This technique is useful for identifying phishing campaigns, misconfigured infrastructure, or domain squatting activity targeting Microsoft users and applications. It relies on string similarity scoring and known-good domain exclusions to reduce false positives and focus the hunt on medium- to high-risk spoofed domains.
+"""
+integration = ["endpoint", "network_traffic", "system", "azure", "o365", "windows"]
+uuid = "e912f5c6-eed3-11ef-a5d7-6f9f7a1e2e00"
+name = "Potential Spoofed `microsoftonline.com` via Fuzzy Match"
+language = ["ES|QL"]
+license = "Elastic License v2"
+notes = [
+    "Investigate domains that resemble `microsoftonline.com` but have slight character substitutions (e.g., `micros0ftonline.com`, `m1crosoftonline.com`).",
+    "Fuzzy matching assigns a `_score` based on edit distance. Higher scores mean a closer match to the legitimate domain.",
+    "Only medium- and high-confidence results are surfaced by excluding `_score >= 6`, which usually represents exact or near-exact matches.",
+    "Legitimate Microsoft domains like `login.microsoftonline.com`, `portal.microsoftonline.com`, and tenant domains ending in `.onmicrosoft.com` are excluded from results to reduce noise.",
+    "Results are ranked by `_score DESC` and tagged with a confidence level: `low`, `medium`, or `high`.",
+    "This query is best used interactively during hunts and may require tuning for specific environments with high Microsoft traffic."
+]
+mitre = ["T1566.002", "T1583.001"]
+query = [
+'''
+FROM logs-* METADATA _score
+| WHERE @timestamp > now() - 30 day
+| WHERE (
+    url.domain IS NOT NULL OR
+    url.original IS NOT NULL OR
+    destination.domain IS NOT NULL OR
+    dns.question.name IS NOT NULL
+)
+| EVAL domain = COALESCE(url.domain, url.original, destination.domain, dns.question.name)::STRING
+| WHERE NOT(
+    domain RLIKE "^(login|portal|api)\\.microsoftonline\\.com$" OR
+    domain RLIKE ".*\\.onmicrosoft\\.com$" OR
+    domain == "microsoftonline.com")
+| WHERE (
+    match(url.domain, "microsoftonline.com", { "fuzziness": "AUTO", "max_expansions": 10 }) OR
+    match(url.original, "microsoftonline.com", { "fuzziness": "AUTO", "max_expansions": 10 }) OR
+    match(destination.domain, "microsoftonline.com", { "fuzziness": "AUTO", "max_expansions": 10 }) OR
+    match(dns.question.name, "microsoftonline.com", { "fuzziness": "AUTO", "max_expansions": 10 })
+)
+| EVAL confidence = CASE(
+    _score >= 5.999, "low",
+    _score > 4, "medium",
+    "high"
+)
+| WHERE confidence != "low"
+   OR domain IN ("micsrosoftonline.com", "outlook-office.micsrosoftonline.com")
+| SORT _score DESC
+| KEEP @timestamp, source.ip, user.id, domain, _score, confidence
+'''
+]
+references = [
+  "https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/"
+]
diff --git a/hunting/index.md b/hunting/index.md
@@ -41,6 +41,10 @@ Here are the queries currently available:
 - [Microsoft Entra Infrequent Suspicious OData Client Requests](./azure/docs/entra_suspicious_odata_client_requests.md) (ES|QL)
 
 
+## cross-platform
+- [Potential Spoofed `microsoftonline.com` via Fuzzy Match](./cross-platform/docs/potentially_spoofed_microsoft_authentication_domain.md) (ES|QL)
+
+
 ## linux
 - [Defense Evasion via Capitalized Process Execution](./linux/docs/defense_evasion_via_capitalized_process_execution.md) (ES|QL)
 - [Drivers Load with Low Occurrence Frequency](./linux/docs/persistence_via_driver_load_with_low_occurrence_frequency.md) (ES|QL)
diff --git a/hunting/index.yml b/hunting/index.yml
@@ -771,3 +771,10 @@ azure:
     path: ./azure/queries/entra_rare_actions_by_service_principal.toml
     mitre:
     - T1098.001
+cross-platform:
+  e912f5c6-eed3-11ef-a5d7-6f9f7a1e2e00:
+    name: Potential Spoofed `microsoftonline.com` via Fuzzy Match
+    path: ./cross-platform/queries/potentially_spoofed_microsoft_authentication_domain.toml
+    mitre:
+    - T1566.002
+    - T1583.001
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.2.24"
+version = "1.2.25"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"
diff --git a/rules/integrations/o365/collection_microsoft_365_excessive_mail_items_accessed.toml b/rules/integrations/o365/collection_microsoft_365_excessive_mail_items_accessed.toml
@@ -0,0 +1,146 @@
+[metadata]
+creation_date = "2025/06/17"
+integration = ["o365"]
+maturity = "production"
+updated_date = "2025/06/17"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies an excessive number of Microsoft 365 mailbox items accessed by a user either via aggregated counts or
+throttling. Microsoft audits mailbox access via the MailItemsAccessed event, which is triggered when a user accesses
+mailbox items. If more than 1000 mailbox items are accessed within a 24-hour period, it is then throttled. Excessive
+mailbox access may indicate an adversary attempting to exfiltrate sensitive information or perform reconnaissance on a
+target's mailbox. This rule detects both the throttled and unthrottled events with a high threshold.
+"""
+false_positives = [
+    """
+    Legitimate users may access a large number of mailbox items in a short period, especially in environments with high
+    email volume or during data migrations. If this is expected behavior, consider adjusting the rule or adding
+    exceptions for specific users or groups.
+    """,
+]
+from = "now-9m"
+index = ["filebeat-*", "logs-o365.audit-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Excessive Microsoft 365 Mailbox Items Accessed"
+note = """## Triage and analysis
+
+### Investigating Excessive Microsoft 365 Mailbox Items Accessed
+
+Identifies an excessive number of Microsoft 365 mailbox items accessed by a user either via aggregated counts or throttling. Microsoft audits mailbox access via the MailItemsAccessed event, which is triggered when a user accesses mailbox items. If more than 1000 mailbox items are accessed within a 24-hour period, it is then throttled. Excessive mailbox access may indicate an adversary attempting to exfiltrate sensitive information or perform reconnaissance on a target's mailbox. This rule detects both the throttled and unthrottled events with a high threshold.
+
+### Possible investigation steps
+- Review `host.name` to identify the tenant where the mailbox access occurred.
+- Review `o365.audit.UserId` or `o365.audit.MailboxOwnerUPN` to identify the user associated with the mailbox access.
+- Examine `o365.audit.ExternalAccess` to determine if the mailbox access was performed by an external user or application.
+- Check the geolocation data to identify the location from which the mailbox access occurred. Is this an expected location for the user?
+- Check `o365.audit.ClientAppId` to identify the application used for mailbox access. Look for any unusual or unexpected applications but be aware that some legitimate applications may also trigger this rule if OAuth phishing was used.
+- Review `o365.audit.Folders.Path` and `o365.audit.Folders.FolderItems.Id` to identify the specific folders and items accessed within the mailbox. Look for any sensitive or high-value folders that may indicate targeted access.
+- For specific items accessed, examine `o365.audit.Folders.FolderItems.Id` to gather more context on the accessed mailbox items.
+- User types can be identified by checking `o365.audit.UserType`. Review if the mailbox of the user is a member, admin or delegate.
+- If Entra ID logs are available, checking the risk status via `azure.signinlogs.properties.risk_state` and `azure.signinlogs.properties.risk_level` can provide additional context on the user's risk status during the mailbox access.
+
+### False positive analysis
+- Legitimate users may access a large number of mailbox items in a short period, especially in environments with high email volume or during data migrations. If this is expected behavior, consider adjusting the rule or adding exceptions for specific users or groups.
+- Automated processes or scripts that access mailbox items may also trigger this rule. If these processes are legitimate and necessary, consider adding exceptions for the specific applications or users involved.
+- Users with high email activity, such as helpdesk or support roles, may trigger this rule due to their job responsibilities. If this is expected behavior, consider adjusting the rule or adding exceptions for specific users or groups.
+
+### Response and remediation
+- Investigate the user account associated with the excessive mailbox access to determine if it has been compromised or if the activity is expected behavior.
+- If the mailbox access is confirmed to be suspicious or unauthorized, take immediate action to revoke the access token and prevent further access.
+- Disable the user account temporarily to prevent any potential compromise or unauthorized access.
+- Review the user's recent sign-in activity and access patterns to identify any potential compromise or unauthorized access.
+- If the user account is compromised, initiate a password reset and enforce multi-factor authentication (MFA) for the user.
+- Review the conditional access policies in place to ensure they are sufficient to prevent unauthorized access to sensitive resources.
+- Examine how the mailbox access was performed. If it was done via a third-party application, review the permissions granted to that application and consider revoking them if they are not necessary.
+"""
+references = [
+    "https://learn.microsoft.com/en-us/purview/audit-log-investigate-accounts#use-mailitemsaccessed-audit-records-for-forensic-investigations",
+    "https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/",
+]
+risk_score = 47
+rule_id = "7fc95782-4bd1-11f0-9838-f661ea17fbcd"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Domain: Email",
+    "Data Source: Microsoft 365",
+    "Data Source: Microsoft 365 Audit Logs",
+    "Use Case: Threat Detection",
+    "Tactic: Collection",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset: "o365.audit" and
+    event.provider: "Exchange" and
+    event.action: "MailItemsAccessed" and
+    event.code: "ExchangeItemAggregated" and
+    (
+        (
+            o365.audit.OperationProperties.Name: "IsThrottled" and
+            o365.audit.OperationProperties.Value: "True"
+        ) or o365.audit.OperationCount >= 100
+    )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1114"
+name = "Email Collection"
+reference = "https://attack.mitre.org/techniques/T1114/"
+[[rule.threat.technique.subtechnique]]
+id = "T1114.002"
+name = "Remote Email Collection"
+reference = "https://attack.mitre.org/techniques/T1114/002/"
+
+
+
+[rule.threat.tactic]
+id = "TA0009"
+name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"
+
+[rule.investigation_fields]
+field_names = [
+    "user.id",
+    "user.name",
+    "user.email",
+    "user.domain",
+    "event.id",
+    "event.action",
+    "event.outcome",
+    "event.provider",
+    "source.ip",
+    "related.ip",
+    "related.user",
+    "o365.audit.ClientAppId",
+    "o365.audit.AppId",
+    "o365.audit.AppAccessContext.UniqueTokenId",
+    "o365.audit.OperationCount",
+    "o365.audit.MailboxOwnerUPN",
+    "o365.audit.MailboxOwnerSid",
+    "o365.audit.MailboxGuid",
+    "o365.audit.UserKey",
+    "o365.audit.LogonUserSid",
+    "o365.audit.TokenTenantId",
+    "o365.audit.OriginatingServer",
+    "o365.audit.ClientInfoString",
+    "o365.audit.CreationTime",
+    "o365.audit.ResultStatus",
+    "source.geo.country_iso_code",
+    "source.geo.country_name",
+    "source.geo.continent_name",
+    "source.geo.location",
+    "cloud.account.id",
+    "cloud.provider",
+    "cloud.region",
+    "cloud.service.name",
+]
+
