Macros, We Don’t Need No Stinking Macros! — Featuring the New Microsoft O365 Email Add-On

Recently, I’ve been on a mission building a new Microsoft Office 365 Email Add-on for Splunk. This has been built for use with Splunk Enterprise, while making sure that it properly supports Splunk’s Common Information Model (CIM). CIM is paramount when wanting data to play nicely with Splunk Enterprise Security.

My two goals for Microsoft O365 Email Add-on were:

  1. To provide an add-on which would allow up to the minute ingest of emails.
  2. Build in a bunch of security focussed features that I felt were needed due to the dangerous nature of email.

What is the Microsoft O365 Email Add-on for Splunk?

The Microsoft O365 Email Add-on for Splunk ingests O365 emails via Microsoft’s Graph API.  It provides various email analysis functions like; macro analysis, attachment info, attachment analysis, IOC extraction, mail relay reporting, amongst others.

The first main security function I concentrated on was detecting and then analysing macros from within Microsoft Office file types attached to emails. Just like badgers, macros can be quite useful for certain things. But once the badger gets onto your couch all bets are off (this is my euphemism for a user clicking on “enable macros” and $*&! hitting the fan)!

I’m making use of Philippe Lagadec’s great OLETools package to help me detect and then find bad stuff (auto-executable macros, suspicious VBA keywords often used by malware, anti-sandboxing and anti-virtualization techniques, strings obfuscated with Hex/Base64/StrReverse/Dridex, etc) in any macros that may be included in the email attachments (Office file types).

Here you can see the result of a macro that I created within an Excel spreadsheet, which was then detected and analysed.  I obfuscated the URL as a Base64 string, and Philippe’s great utility not only detected the macro, it also decoded the Base64 string to show me the actual URL!

And if there are macros detected, but they don’t appear malicious, I still call out my feelings about macros, as shown here.

I decided to keep going further, and built out a number of other O365 email extraction capabilities as shown here:

And here:

Having the ability to see indicators of compromise (IOCs) contained both within the email body, as well as in attachments from multiple file types (HTML, XML, CSV, and PDF as of the current version) directly from within Splunk can be a huge time saver.

I’ve recently added the option to try and open up zip files (no support for password protected ones quite yet!) to determine their contents (file names and hash values based on the algorithm you’ve selected under File Hash Algorithm).  This adds zip_files and zip_hashes fields within the attachment info section as shown here:

I’ve also had some requests to ingest the contents of various attachments.  Now this does come with a warning, in all caps, so you know it’s serious.  This option, along with the Get Body option, can make your Splunk salesperson very happy (HUGE INGEST POTENTIAL)!  If you wanted to get a taste of what the email body looks like, you can select the Get Body Preview option, which only returns the first 255 characters in the email body.

Some use cases I’ve already been playing with around the email body and file contents ingest are in the areas of Natural Language Processing (NLP) and general machine learning.  The potential for spam/phishing detection and sentiment analysis is huge here.

Here I am using the NLP Text Analytics app from Splunkbase to analyse the sentiment of the email bodies being ingested.

Here’s another screenshot from the NLP Test Analytics app which has analysed the email body, that gave me the number of terms used, number of unique terms, along with a cool breakdown of the Parts of Speech Tags.

The last areas I wanted to provide an option around were some important email security features.  Selecting Ingest Auth Headers provider the Sender Policy Framework (SPF) information, along with the DomainKeys Identified Mail (DKIM) information.

I know I said before that those were the last areas, but I have a couple more up my sleeve.  

I had a request to include X-Headers (custom email header fields), which can include things like anti-spam analysis and other security features.

And the final one was to include the path that the email has taken to get to the user.  The full MTA message path can be extracted by selecting the Show Message Path option.

All of this does look like quite a bit of data, but you are able to pick and choose various options to use that fit your needs.

So if you’re using O365 for email, and you want to get some in depth security and non-security data from your emails, please download, install, and test out my new Microsoft O365 Email Add-on for Splunk!

Happy Splunking!

Shannon Davis
Posted by

Shannon Davis

Security practitioner, Melbourne, Australia via Seattle, USA.

Show All Tags
Show Less Tags