Hosts exporting a mailbox from an on-prem Exchange server and subsequently removing the export may indicate exfiltration of sensitive data by an adversary. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential data theft or reconnaissance activities early.
KQL Query
// Adjust the timeframe to change the window events need to occur within to alert
let timeframe = 1h;
DeviceProcessEvents
| where FileName in~ ("powershell.exe", "cmd.exe")
| where ProcessCommandLine contains 'New-MailboxExportRequest'
| project-rename NewMailBoxExpCmd = ProcessCommandLine
| summarize by DeviceName , timekey = bin(Timestamp, timeframe), NewMailBoxExpCmd, AccountName
| join kind=inner (DeviceProcessEvents
| where FileName in~ ("powershell.exe", "cmd.exe")
| where ProcessCommandLine contains 'Remove-MailboxExportRequest'
| project-rename RemoveMailBoxExpCmd = ProcessCommandLine
| summarize by DeviceName, timekey = bin(Timestamp, timeframe), RemoveMailBoxExpCmd, AccountName) on DeviceName, timekey, AccountName
| extend commands = pack_array(NewMailBoxExpCmd, RemoveMailBoxExpCmd)
| summarize by timekey, DeviceName, tostring(commands), AccountName
| project-reorder timekey, DeviceName, AccountName, ['commands']
| extend HostCustomEntity = DeviceName, AccountCustomEntity = AccountName
id: 1a6f998a-b9a4-4030-bd58-6606d66608f9
name: HostExportingMailboxAndRemovingExport[Solarigate]
description: |
This hunting query looks for hosts exporting a mailbox from an on-prem Exchange server, followed by
that same host removing the export within a short time window. This pattern has been observed by attackers
when exfiltrating emails from a target environment. A Mailbox export is unlikely to be a common command run so look for
activity from unexpected hosts and accounts.
Reference: https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Query insprired by Azure Sentinel detection https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/HostExportingMailboxAndRemovingExport.yaml
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Collection
query: |
// Adjust the timeframe to change the window events need to occur within to alert
let timeframe = 1h;
DeviceProcessEvents
| where FileName in~ ("powershell.exe", "cmd.exe")
| where ProcessCommandLine contains 'New-MailboxExportRequest'
| project-rename NewMailBoxExpCmd = ProcessCommandLine
| summarize by DeviceName , timekey = bin(Timestamp, timeframe), NewMailBoxExpCmd, AccountName
| join kind=inner (DeviceProcessEvents
| where FileName in~ ("powershell.exe", "cmd.exe")
| where ProcessCommandLine contains 'Remove-MailboxExportRequest'
| project-rename RemoveMailBoxExpCmd = ProcessCommandLine
| summarize by DeviceName, timekey = bin(Timestamp, timeframe), RemoveMailBoxExpCmd, AccountName) on DeviceName, timekey, AccountName
| extend commands = pack_array(NewMailBoxExpCmd, RemoveMailBoxExpCmd)
| summarize by timekey, DeviceName, tostring(commands), AccountName
| project-reorder timekey, DeviceName, AccountName, ['commands']
| extend HostCustomEntity = DeviceName, AccountCustomEntity = AccountName
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled Mailbox Export for Compliance Purposes
Description: A system administrator runs a scheduled job to export a mailbox as part of a compliance or audit process.
Filter/Exclusion: Exclude hosts that are known compliance servers or have scheduled tasks related to mailbox exports (e.g., task scheduler job names containing “compliance” or “audit”).
Scenario: Admin Task to Remove Exported Data
Description: An admin exports a mailbox for investigation and then deletes the export file after review.
Filter/Exclusion: Exclude hosts where the export and removal actions are performed by admin accounts (e.g., user = "admin@domain.com" or user = "svc_exchange").
Scenario: Backup Process Exporting Mailboxes
Description: A backup tool like Veeam or Symantec BackupExec exports mailboxes as part of a routine backup process.
Filter/Exclusion: Exclude hosts associated with backup tools (e.g., process.name = "VeeamBackup.exe" or process.name = "SymantecBackup.exe").
Scenario: Mailbox Export for Legal Hold or Investigation
Description: A legal team exports a mailbox for a pending investigation and then removes the export after the investigation is complete.
Filter/Exclusion: Exclude hosts where the export is initiated by legal or compliance teams (e.g., user = "legal@domain.com" or user = "compliance@domain.com").
Scenario: Automated Export for Reporting
Description: A reporting tool or script exports a mailbox to generate a report and then deletes the export file to free up space.
Filter/Exclusion: Exclude hosts where the export is part of a known reporting process (e.g., process.name = "reporting_tool.exe" or `process