Attackers may use email storage quota warnings to mask the distribution of malicious payloads or phishing content by overwhelming user inboxes, allowing them to evade traditional detection mechanisms. Proactively hunting for this behavior in Azure Sentinel can help identify covert lateral movement or data exfiltration tactics disguised as legitimate email activity.
YARA Rule
rule Email_quota_limit_warning : mail
{
meta:
Author = "Tyler Linne <@InfoSecTyler>"
Description ="Rule to prevent against known email quota limit phishing campaign"
strings:
$eml_01 = "From:" //Added eml context
$eml_02 = "To:"
$eml_03 = "Subject:"
$subject1={ 44 65 61 72 20 [0-11] 20 41 63 63 6f 75 6e 74 20 55 73 65 72 73 } // Range allows for different company names to be accepted
$hello1={ 44 65 61 72 20 [0-11] 20 41 63 63 6f 75 6e 74 20 55 73 65 72 73 }
$body1="You have exceded" nocase
$body2={65 2d 6d 61 69 6c 20 61 63 63 6f 75 6e 74 20 6c 69 6d 69 74 20 71 75 6f 74 61 20 6f 66 } //Range allows for different quota "upgrade" sizes
$body3="requested to expand it within 24 hours" nocase
$body4="e-mail account will be disable from our database" nocase
$body5="simply click with the complete information" nocase
$body6="requested to expand your account quota" nocase
$body7={54 68 61 6e 6b 20 79 6f 75 20 66 6f 72 20 75 73 69 6e 67 20 [0-11] 20 57 65 62 6d 61 69 6c } // Range allows for different company names to be accepted
condition:
all of ($eml_*) and
1 of ($subject*) and
1 of ($hello*) and
4 of ($body*)
}This YARA rule can be deployed in the following contexts:
This rule contains 12 string patterns in its detection logic.
Scenario: Scheduled Email Backup Job Exceeds Quota
Description: A legitimate scheduled backup job sends a large number of emails to a central archive mailbox, temporarily exceeding the storage quota.
Filter/Exclusion: Exclude emails sent by the backup tool (e.g., Veeam, Commvault) or use a filter based on the sender’s email address or job name.
Scenario: User Receives a Quota Warning Due to Large File Attachments
Description: A user receives a warning after sending or receiving a large file via email, which is part of a normal business process (e.g., legal document sharing).
Filter/Exclusion: Exclude emails containing specific file types (e.g., .pdf, .docx) or use a filter based on the recipient’s email domain or user role.
Scenario: System-Wide Email Quota Alert from Admin Tool
Description: An email admin tool (e.g., Microsoft 365 Admin Center, G Suite Admin Console) sends a system alert to the admin about overall mailbox usage, not individual user activity.
Filter/Exclusion: Exclude emails sent from admin tools or use a filter based on the sender’s email address or subject line containing “system alert” or “quota summary.”
Scenario: User Sends Large Number of Emails for Internal Collaboration
Description: A user sends multiple emails with large attachments (e.g., for project collaboration) which temporarily exceeds their quota.
Filter/Exclusion: Exclude emails sent to internal domains or use a filter based on the email size or presence of collaboration tools (e.g., Microsoft Teams, Slack).
Scenario: Email Gateway Sends Quota Warning for Legitimate Email Retention
Description: An email gateway (e.g., Cisco Email Security Appliance, Barracuda) sends a warning when retaining emails for compliance, which