Sigma rules for CVE-2021-25376
6 rules · scoped to cve · back to CVE-2021-25376
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Email Exifiltration Via Powershell
id: 312d0384-401c-4b8b-abdf-685ffba9a332
status: test
description: Detects email exfiltration via powershell cmdlets
references:
- https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
- https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml
author: Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)
date: 2022-09-09
tags:
- attack.exfiltration
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains|all:
- 'Add-PSSnapin'
- 'Get-Recipient'
- '-ExpandProperty'
- 'EmailAddresses'
- 'SmtpAddress'
- '-hidetableheaders'
condition: selection
falsepositives:
- Unknown
level: high
title: Password Protected ZIP File Opened (Email Attachment)
id: 571498c8-908e-40b4-910b-d2369159a3da
status: test
description: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
references:
- https://twitter.com/sbousseaden/status/1523383197513379841
author: Florian Roth (Nextron Systems)
date: 2022-05-09
tags:
- attack.initial-access
- attack.stealth
- attack.t1027
- attack.t1566.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 5379
TargetName|contains|all:
- 'Microsoft_Windows_Shell_ZipFolder:filename'
- '\Temporary Internet Files\Content.Outlook'
condition: selection
falsepositives:
- Legitimate used of encrypted ZIP files
level: high
title: Microsoft 365 - User Restricted from Sending Email
id: ff246f56-7f24-402a-baca-b86540e3925c
status: test
description: Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: austinsonger
date: 2021-08-19
modified: 2022-10-09
tags:
- attack.initial-access
- attack.t1199
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'User restricted from sending email'
status: success
condition: selection
falsepositives:
- Unknown
level: medium
title: Suspicious Email Delivered In Microsoft 365
id: 3569aefd-e535-4391-8c18-24bd01a21eaf
status: experimental
description: |
Detects instances where an email, identified as malicious or suspicious by the Microsoft Defender for Office 365 (formerly ATP) engine, was delivered to a user's Inbox or Junk folder.
It might indicate that a potential threat, such as a spearphishing attachment or links, has bypassed initial blocking mechanisms and reached an end-user, requiring further investigation and potential remediation.
references:
- https://learn.microsoft.com/en-us/defender-office-365/threat-explorer-real-time-detections-about
- https://research.splunk.com/cloud/605cc93a-70e4-4ee3-9a3d-1a62e8c9b6c2/
- https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/e7250648cb16d4a497ae8737943bf010ea96d2e6/Defender%20For%20Cloud%20Apps/MaliciousEmailDeliveredInMailbox.md
author: Marco Pedrinazzi (@pedrinazziM) (InTheCyber)
date: 2026-01-27
tags:
- attack.initial-access
- attack.t1566.001
- attack.t1566.002
logsource:
service: audit
product: m365
detection:
selection:
Workload: 'ThreatIntelligence'
Operation: 'TIMailData'
Directionality: 'Inbound'
filter_main_blocked:
DeliveryAction: 'Blocked'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: medium
title: Google Workspace Out Of Domain Email Forwarding
id: 2a0bb2dd-eb5f-4517-8cb9-404f8ba764a5
status: experimental
description: Detects automatic email forwarding to external domains in Google Workspace, which may indicate data leakage or misuse.
references:
- https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#email_forwarding_out_of_domain
author: Tom kluter
date: 2026-04-28
tags:
- attack.t1114.003
- attack.collection
logsource:
product: gcp
service: google_workspace.login
detection:
selection:
protoPayload.serviceName: 'login.googleapis.com'
protoPayload.metadata.event.eventName: 'email_forwarding_out_of_domain'
condition: selection
falsepositives:
- Legitimate forwarding
level: medium
title: Powershell Local Email Collection
id: 2837e152-93c8-43d2-85ba-c3cd3c2ae614
status: test
description: |
Adversaries may target user email on local systems to collect sensitive information.
Files containing email data can be acquired from a users local system, such as Outlook storage or cache files.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md
author: frack113
date: 2021-07-21
modified: 2022-12-25
tags:
- attack.collection
- attack.t1114.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Get-Inbox.ps1'
- 'Microsoft.Office.Interop.Outlook'
- 'Microsoft.Office.Interop.Outlook.olDefaultFolders'
- '-comobject outlook.application'
condition: selection
falsepositives:
- Unknown
level: medium