Welcome On Mobius

Mobius was created by professionnal coders and passionate people.

We made all the best only for you, to enjoy great features and design quality. Mobius was build in order to reach a pixel perfect layout.

Mobius includes exclusive features such as the Themeone Slider, Themeone Shorcode Generator and Mobius Grid Generator.

Our Skills

WordPress90%
Design/Graphics75%
HTML/CSS/jQuery100%
Support/Updates80%

Office 365 Mail ATP Reports & Splunk

By Phil 1 year agoNo Comments
Home  /  Phishing  /  Office 365 Mail ATP Reports & Splunk

In this post we will cover how to retreive detailed Office 365 Exchange Online ATP Detail Reports and begin working with them in Splunk.

First, we’ll use the Connect-EXOPSession to initiate a new remote powershell session to Exchange Online.
We’ll then use the Get-MailDetailATPReport to retreive details on inbound and outbound phishing attacks and malspam.

Connect-EXOPSession
Get-MailDetailATPReport -StartDate 2018/08/26 -EndDate 2018/08/27
Date                       Message ID                    Message Trace ID                          Domain                     Subject
-------------------------------------------------------------------------------------------------------------------------------------
...
...
Get-MailDetailATPReport -StartDate 2018/08/26 -EndDate 2018/08/27 | format-table
Date :
Message ID :
Message Trace ID :
Domain :
Subject :
Message Size :
Direction :
Sender Address :
Recipient Address:
Event Type :
Action :
File Name :
Malware Name :

Let’s look at the Action field.  This seems to indicate what type of remediation action was taken on the message, although the documentation states “This parameter is reserved for internal Microsoft use.”

Below are the Action values I’ve observed and my notes:

Blank – delivered as usual?
MessageMoved – ? User manually deleted/moved message???
MoveToJmf — Delivered to Junk Email Folder (or moved there by user?)
NoAction – delivered as usual?
Quarantine – Redirected to Exchange Online Quarantine

Interesting.  Let’s export this data to a CSV so we can upload to Splunk.

Get-MailDetailATPReport -StartDate 2018/08/26 -EndDate 2018/08/27 | Export-CSV -Path ATP_Report.csv -NoTypeInformation

I’ll import this file using the Lookup File Editor App available on Splunkbase, using the lookup filename ATP_20180827.csv

|inputlookup ATP_20180827.csv
| table *
Date            Action         EventType                 RecipientAddress  SenderAddress       Subject ......
-----------------------------------------------------------------------------------------------------------------------------
8/26/2018 0:30  Quarantine    Malicious URL reputation    joe@contoso.com   malware@actor.com  Please to share files from me!
8/26/2018 0:30                Phish                       joe@contoso.com   malware@actor.com  Please to share files from me!
8/26/2018 0:30  Quarantine    Malicious URL reputation    james@contoso.com   malware@actor.com  Please to share files from me!
8/26/2018 0:30                Phish                       james@contoso.com   malware@actor.com  Please to share files from me!

This phishing message was only sent to two recipients, but we see four result rows because each message was classifed by ATP twice.

At least in my dataset, I frequently see that all recipients of a particular message had their delivery redirected to Quarantine or Junk Email Folder.  In this case I don’t feel a particular need to investigate this message. 

To make it easier to work with, lets corrolate this data by time and subject line:

| inputlookup ATP_20180827.csv
| stats values(Action) as Actions, values(SenderAddress), values(RecipientAddress), values(EventType), dc(RecipientAddress)
as RecipientCount, count(Action) as ActionCount by Date, Subject

Date Actions values(RecipientAddress) values(SenderAddress) values(Subject) values(EventType) RecipientCount ActionCount
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
8/26/2018 0:30 Quarantine james@contoso.com malware@actor.com Please to share files from me! MaliciousURL reputation 2 2
joe@contoso.com Phish

Now a result row represents a phishing message with all actions and recipients, instead of a single email.
Notice RecipientCount and ActionCount are the same? Assuming that a recipient cannot have more than one action for a single message, this seems to indicate that all recipients
had the Action applied – in this case Quarantine.

| inputlookup ATP_20180827.csv
| stats values(Action) as Actions, values(SenderAddress), values(RecipientAddress), values(EventType),
dc(RecipientAddress) as RecipientCount, count(Action) as ActionCount by Date, Subject
| eval filter=if((Actions="Quarantine" OR Actions="MovetoJmf") AND RecipientCount=ActionCount, "true", "false")
| search filter="false"
| fields - filter


| inputlookup ATP_20180827.csv
| stats values(Action) as Actions, values(SenderAddress), values(RecipientAddress), values(Subject), values(EventType), dc(RecipientAddress) as RecipientCount, count(Action) as ActionCount by Date

Date Subject Actions values(RecipientAddress) values(SenderAddress) values(EventType) RecipientCount ActionCount
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
No results found.

Noise suppressed!!

Explore your own results and let us know if you see anything interesting!

Category:
  Phishing
this post was shared 0 times
 000
About

 Phil

  (4 articles)

Leave a Reply

Your email address will not be published.