{"CreationTime": "2024-03-07T20:09:53", "ExchangeMetaData": {"BCC": [], "CC": [], "FileSize": 311930, "From": "attacker@attack_range.lan", "IsViewableByExternalUsers": true, "MessageID": "", "RecipientCount": 1, "Sent": "2024-03-07T20:09:51", "Subject": "Sensitive Data in this attachment", "To": ["exfiltrate@bad_guy.lol"], "UniqueID": "36a153f5-5132-4aa5-6b8e-08dc3ee28c5a"}, "Id": "83fd011f-dc7a-42ca-92a3-5b5be62f67ee", "IncidentId": "13e596c7-af2c-e41a-d800-08dc3ee3f6dd", "ObjectId": "", "Operation": "DlpRuleMatch", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "PolicyDetails": [{"PolicyId": "c70e344d-f421-4d19-a4c0-3e7040d5fa57", "PolicyName": "SSN External Exchange", "Rules": [{"ActionParameters": ["GenerateIncidentReport:admin@attack_range.lan"], "Actions": ["GenerateIncidentReport"], "ConditionsMatched": {"ConditionMatchedInNewScheme": true, "OtherConditions": [{"Name": "AccessScope", "Value": "IncludeExternalUsers"}], "SensitiveInformation": [{"ClassifierType": "None", "Confidence": 85, "Count": 2, "Location": "SUPER SECRET INFO.pdf", "SensitiveInformationDetailedClassificationAttributes": [{"Confidence": 65, "Count": 2, "IsMatch": false}, {"Confidence": 75, "Count": 2, "IsMatch": false}, {"Confidence": 85, "Count": 2, "IsMatch": true}], "SensitiveInformationTypeName": "U.S. Social Security Number (SSN)", "SensitiveType": "a44669fe-0d48-453d-a9b1-2cc83f2cba77", "UniqueCount": 2}]}, "ManagementRuleId": "e88f4d39-c643-4295-a2f4-12ae1e791032", "RuleId": "dea3e6ad-de39-48f1-bd91-a843acebeb79", "RuleMode": "Enable", "RuleName": "ATTACK RANGE SECRET DATA RULE", "Severity": "Low"}]}], "RecordType": 13, "SensitiveInfoDetectionIsIncluded": false, "UserId": "attacker@attack_range.lan", "UserKey": "517ca540-0bed-49c7-86b5-e455008c13d6", "UserType": 0, "Version": 1, "Workload": "Exchange"} {"CreationTime": "2024-03-07T19:58:23", "ExchangeMetaData": {"BCC": [], "CC": [], "FileSize": 114165, "From": "attacker@attack_range.lan", "IsViewableByExternalUsers": true, "MessageID": "", "RecipientCount": 1, "Sent": "2024-03-07T19:58:18", "Subject": "Sensitive Data in this message", "To": ["exfiltrate@bad_guy.lol"], "UniqueID": "0728c39a-0f1e-4b55-c5a6-08dc3ee0eef1"}, "Id": "425afef1-d56d-4691-bd38-802350fbac5d", "IncidentId": "6a261e2f-a2d1-43d3-6000-08dc3ee12b9c", "ObjectId": "", "Operation": "DlpRuleMatch", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "PolicyDetails": [{"PolicyId": "c70e344d-f421-4d19-a4c0-3e7040d5fa57", "PolicyName": "SSN External Exchange", "Rules": [{"ActionParameters": ["GenerateIncidentReport:admin@attack_range.lan"], "Actions": ["GenerateIncidentReport", "Halt"], "ConditionsMatched": {"ConditionMatchedInNewScheme": true, "OtherConditions": [{"Name": "AccessScope", "Value": "IncludeExternalUsers"}], "SensitiveInformation": [{"ClassifierType": "None", "Confidence": 85, "Count": 1, "Location": "Message Body", "SensitiveInformationDetailedClassificationAttributes": [{"Confidence": 65, "Count": 1, "IsMatch": false}, {"Confidence": 75, "Count": 1, "IsMatch": false}, {"Confidence": 85, "Count": 1, "IsMatch": true}], "SensitiveInformationTypeName": "U.S. Social Security Number (SSN)", "SensitiveType": "a44669fe-0d48-453d-a9b1-2cc83f2cba77", "UniqueCount": 1}]}, "ManagementRuleId": "e88f4d39-c643-4295-a2f4-12ae1e791032", "RuleId": "dea3e6ad-de39-48f1-bd91-a843acebeb79", "RuleMode": "Enable", "RuleName": "ATTACK RANGE SECRET DATA RULE", "Severity": "Low"}]}], "RecordType": 13, "SensitiveInfoDetectionIsIncluded": false, "UserId": "attacker@attack_range.lan", "UserKey": "517ca540-0bed-49c7-86b5-e455008c13d6", "UserType": 0, "Version": 1, "Workload": "Exchange"} {"AlertEntityId": "https://tinyurl.com/57594h4h", "AlertId": "fd8314d8-2d10-c4a3-1400-08dc32914b9d", "AlertLinks": [{"AlertLinkHref": ""}], "AlertType": "System", "Category": "ThreatManagement", "Comments": "New alert", "CreationTime": "2024-02-21T04:02:26", "Data": "{\"etype\":\"MaliciousUrl\",\"aii\":\"b2e3b763-3055-432d-17c5-08dc2d751f74\",\"eid\":\"https://tinyurl.com/57594h4h\",\"curlh\":\"9937012134954310354\",\"tid\":\"6915b1e0-b081-4829-8866-f1a3e883a9ae\",\"ts\":\"2024-02-21T03:58:24.0353405Z\",\"te\":\"2024-02-21T03:58:24.0353405Z\",\"trc\":\"victim@attack_range.lan\",\"tdc\":\"1\",\"at\":\"2024-02-21T03:58:24.0353405Z\",\"dm\":\"MDO Safe Links\",\"ot\":\"Allowed\",\"od\":\"User clicked on a URL which was identified as potentially malicious at a later time.\",\"md\":\"2024-02-14T15:53:44.1893317Z\",\"lon\":\"MaliciousUrlClick\"}", "EntityType": "MaliciousUrl", "Id": "0abe7b12-4879-4ea3-fd8a-08dc3291eab2", "Name": "A potentially malicious URL click was detected", "ObjectId": "https://tinyurl.com/57594h4h", "Operation": "AlertEntityGenerated", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "PolicyId": "a74bb32a-541b-47fb-adfd-f8c62ce3d59b", "RecordType": 40, "ResultStatus": "Succeeded", "Severity": "High", "Source": "Office 365 Security & Compliance", "Status": "Active", "UserId": "SecurityComplianceAlerts", "UserKey": "SecurityComplianceAlerts", "UserType": 4, "Version": 1, "Workload": "SecurityComplianceCenter"} {"AlertEntityId": "https://click.e.ama-assn.org/?qs=8998ddb89a0cdd641896405312d917673f01d0829d64616aaab36f9e40f02e2595ad7852374b95c416e4a51981f6fa47d0e1bfb22408ba5ec6bd13548ac7c61b", "AlertId": "a190b9c8-1029-efd3-8000-08db1f680f7d", "AlertLinks": [{"AlertLinkHref": ""}], "AlertType": "System", "Category": "ThreatManagement", "Comments": "New alert", "CreationTime": "2023-03-08T15:17:52", "Data": "{\"etype\":\"MaliciousUrl\",\"aii\":\"9c8d52a9-d07e-48a9-b88a-08dab09454bc\",\"eid\":\"https://click.e.ama-assn.org/?qs=8998ddb89a0cdd641896405312d917673f01d0829d64616aaab36f9e40f02e2595ad7852374b95c416e4a51981f6fa47d0e1bfb22408ba5ec6bd13548ac7c61b\",\"tid\":\"6915b1e0-b081-4829-8866-f1a3e883a9ae\",\"ts\":\"2023-03-08T15:17:00.0000000Z\",\"te\":\"2023-03-08T15:17:00.0000000Z\",\"trc\":\"victim@attack_range.lan\",\"tdc\":\"1\",\"at\":\"2023-03-08T15:17:00.0000000Z\",\"dm\":\"MDO Safe Links\",\"ot\":\"BlockPageOverride\",\"od\":\"User blocked from navigating to the URL by MDO Safe Links; however, user overrode block page to navigate to the URL.\",\"md\":\"2022-10-17T23:07:14.9649034Z\",\"lon\":\"MaliciousUrlClick\"}", "EntityType": "MaliciousUrl", "Id": "4038ade2-04e3-4c09-2d6c-08db1fe8490c", "Name": "A user clicked through to a potentially malicious URL\u200b", "ObjectId": "https://click.e.ama-assn.org/?qs=8998ddb89a0cdd641896405312d917673f01d0829d64616aaab36f9e40f02e2595ad7852374b95c416e4a51981f6fa47d0e1bfb22408ba5ec6bd13548ac7c61b", "Operation": "AlertEntityGenerated", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "PolicyId": "5453b67e-6c81-4a46-b96c-08d97b58d4ac", "RecordType": 40, "ResultStatus": "Succeeded", "Severity": "High", "Source": "Office 365 Security & Compliance", "Status": "Active", "UserId": "SecurityComplianceAlerts", "UserKey": "SecurityComplianceAlerts", "UserType": 4, "Version": 1, "Workload": "SecurityComplianceCenter"} {"AlertEntityId": "42fd195d-7ab1-4566-0600-08dc3ec462be-7395301448368413761-1", "AlertId": "476df558-f61b-ec3a-de00-08dc3ec4cfc3", "AlertLinks": [{"AlertLinkHref": ""}], "AlertType": "System", "Category": "ThreatManagement", "Comments": "New alert", "CreationTime": "2024-03-07T16:49:31", "Data": "{\"etype\":\"MalwareFamily\",\"at\":\"2024-03-07T16:37:56.1969773Z\",\"md\":\"2024-03-07T16:37:35.0000000Z\",\"sip\":\"40.107.14.92\",\"ms\":\"Bad Guy Documents for your DocuSign Signature -Thursday March 2024\",\"imsgid\":\"<170982923212.4108.4219154357076763856@trustangle.com>\",\"ttdt\":\"2024-03-07T16:37:56.1969773Z\",\"ttr\":\"Success_MessageQuarantined\",\"eid\":\"42fd195d-7ab1-4566-0600-08dc3ec462be-7395301448368413761-1\",\"aii\":\"42fd195d-7ab1-4566-0600-08dc3ec462be\",\"thn\":\"reputation\",\"ts\":\"2024-03-07T16:36:56.1969773Z\",\"te\":\"2024-03-07T16:38:56.1969773Z\",\"fvs\":\"Filters\",\"tpt\":\"AntiMalwarePolicy\",\"tpid\":\"2979b771-f1fa-42f6-b0e9-1b4e8bc5827f\",\"tid\":\"6915b1e0-b081-4829-8866-f1a3e883a9ae\",\"tht\":\"Malware, Malicious\",\"trc\":\"victim@attack_range.lan\",\"tsd\":\"attacker@bad_guy.lol\",\"zu\":\"ankarakiraliksilindir.com/auth\",\"pud\":\"ankarakiraliksilindir.com/auth\",\"tdc\":\"1\",\"cpid\":null,\"lon\":\"Protection\"}", "EntityType": "MalwareFamily", "Id": "44861ba2-3215-486a-0673-08dc3ec68fb6", "Name": "Email messages containing malicious URL removed after delivery\u200b", "ObjectId": "42fd195d-7ab1-4566-0600-08dc3ec462be-7395301448368413761-1", "Operation": "AlertEntityGenerated", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "PolicyId": "8e6ba277-ef39-404e-aaf1-294f6d9a2b88", "RecordType": 40, "ResultStatus": "Succeeded", "Severity": "Informational", "Source": "Office 365 Security & Compliance", "Status": "Active", "UserId": "SecurityComplianceAlerts", "UserKey": "SecurityComplianceAlerts", "UserType": 4, "Version": 1, "Workload": "SecurityComplianceCenter"} {"AlertEntityId": "a0c1e6af-ab45-4ee8-4752-08dc3d15e605-9817492628654230085-1", "AlertId": "85168225-fda2-3a24-0c00-08dc3d173d32", "AlertLinks": [{"AlertLinkHref": ""}], "AlertType": "System", "Category": "ThreatManagement", "Comments": "New alert", "CreationTime": "2024-03-05T13:31:13", "Data": "{\"etype\":\"MalwareFamily\",\"at\":\"2024-03-05T13:22:41.1991401Z\",\"md\":\"2024-03-05T13:12:27.0000000Z\",\"sip\":\"209.85.222.169\",\"ms\":\"ThankYou For YourOrder!D0T51518374X3LZIP \",\"imsgid\":\"<0c1c541f-1ee5-94bf-25cb-d965a1befbdf@gmail.com>\",\"ttdt\":\"2024-03-05T13:22:41.1991401Z\",\"ttr\":\"Success_MessageQuarantined\",\"dm\":\"FileReputation\",\"eid\":\"a0c1e6af-ab45-4ee8-4752-08dc3d15e605-9817492628654230085-1\",\"aii\":\"a0c1e6af-ab45-4ee8-4752-08dc3d15e605\",\"thn\":\"Phish, Malicious\",\"ts\":\"2024-03-05T13:21:41.1991401Z\",\"te\":\"2024-03-05T13:23:41.1991401Z\",\"fvs\":\"Filters\",\"tpt\":\"HostedContentFilterPolicy\",\"tpid\":\"ffe2a155-535f-484f-83da-ffb922b46af5\",\"tid\":\"6915b1e0-b081-4829-8866-f1a3e883a9ae\",\"tht\":\"Phish, Malicious\",\"trc\":\"victim@attack_range.lan\",\"tsd\":\"attacker@bad_guy.lol\",\"zmfh\":\"yiFy5qy4kvCGLF97Y3+C2RBGJCNY3JeqF18PWfaTYQc=\",\"zfh\":\"yiFy5qy4kvCGLF97Y3+C2RBGJCNY3JeqF18PWfaTYQc=\",\"zmfn\":\"LMBC33891257613OS.pd\",\"zfn\":\"LMBC33891257613OS.pd\",\"tdc\":\"1\",\"cpid\":null,\"lon\":\"Protection\"}", "EntityType": "MalwareFamily", "Id": "028dde2f-b156-45b0-3e3d-08dc3d18873f", "Name": "Email messages containing malicious file removed after delivery\u200b", "ObjectId": "a0c1e6af-ab45-4ee8-4752-08dc3d15e605-9817492628654230085-1", "Operation": "AlertEntityGenerated", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "PolicyId": "4b1820ec-39dc-45f3-abf6-5ee80df51fd2", "RecordType": 40, "ResultStatus": "Succeeded", "Severity": "Informational", "Source": "Office 365 Security & Compliance", "Status": "Active", "UserId": "SecurityComplianceAlerts", "UserKey": "SecurityComplianceAlerts", "UserType": 4, "Version": 1, "Workload": "SecurityComplianceCenter"} {"AlertEntityId": "c461ad52-1382-40b5-0be0-08dc3d898aa7-15623121967979682274-1", "AlertId": "05571e1f-4520-4bc7-2e00-08dc3d8ac505", "AlertLinks": [{"AlertLinkHref": ""}], "AlertType": "System", "Category": "ThreatManagement", "Comments": "New alert", "CreationTime": "2024-03-06T03:15:52", "Data": "{\"etype\":\"MalwareFamily\",\"at\":\"2024-03-06T03:09:36.6683244Z\",\"md\":\"2024-03-06T03:02:39.0000000Z\",\"sip\":\"54.240.48.243\",\"ms\":\"The Journal for Malware Practitioners: March 2024 (Volume 20, Issue 3)\",\"imsgid\":\"<0100018e11b4495a-edc8e0b9-514d-4140-9820-2ed93c5a19b5-000000@email.amazonses.com>\",\"ttdt\":\"2024-03-06T03:09:36.6683244Z\",\"ttr\":\"Error_FailedToQuarantineMessage\",\"dm\":\"UrlReputation\",\"eid\":\"c461ad52-1382-40b5-0be0-08dc3d898aa7-15623121967979682274-1\",\"aii\":\"c461ad52-1382-40b5-0be0-08dc3d898aa7\",\"thn\":\"Phish, Malicious\",\"ts\":\"2024-03-06T03:08:36.6683244Z\",\"te\":\"2024-03-06T03:10:36.6683244Z\",\"fvs\":\"Filters\",\"tid\":\"6915b1e0-b081-4829-8866-f1a3e883a9ae\",\"tht\":\"Phish, Malicious\",\"trc\":\"victim@attack_range.lan\",\"tsd\":\"attacker@bad_guy.lol\",\"zu\":\"click.notification.elsevier.com/cl0/https:%2f%2fwww.getmalware.org%2faction%2fecommerce%3fdgcid=raven_jbs_etoc_email/1\",\"pud\":\"click.notification.elsevier.com/cl0/https:%2f%2fwww.getmalware.org%2faction%2fecommerce%3fdgcid=raven_jbs_etoc_email/1\",\"tdc\":\"1\",\"cpid\":null,\"lon\":\"Protection\"}", "EntityType": "MalwareFamily", "Id": "b8f3603a-81a1-414c-2295-08dc3d8bbb0b", "Name": "Messages containing malicious entity not removed after delivery", "ObjectId": "c461ad52-1382-40b5-0be0-08dc3d898aa7-15623121967979682274-1", "Operation": "AlertEntityGenerated", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "PolicyId": "663e723a-4a74-47d9-9690-9638f0d496af", "RecordType": 40, "ResultStatus": "Succeeded", "Severity": "Medium", "Source": "Office 365 Security & Compliance", "Status": "Active", "UserId": "SecurityComplianceAlerts", "UserKey": "SecurityComplianceAlerts", "UserType": 4, "Version": 1, "Workload": "SecurityComplianceCenter"} {"AlertEntityId": "8eb55d20-0a68-4d50-b925-08dc3ef6c5f5-10491611914247298773-1", "AlertId": "629e4608-e299-f139-4800-08dc3f3a04be", "AlertLinks": [{"AlertLinkHref": ""}], "AlertType": "System", "Category": "ThreatManagement", "Comments": "New alert", "CreationTime": "2024-03-08T06:43:46", "Data": "{\"etype\":\"MalwareFamily\",\"at\":\"2024-03-08T06:36:26.9255475Z\",\"md\":\"2024-03-07T22:34:44.0000000Z\",\"sip\":\"40.107.237.123\",\"ms\":\"Attack Range Scheduled System Maintenance - Ref: AZBSF41297\",\"imsgid\":\"<170985087363.62828.7570134824051846298@reurbanrealestate.com>\",\"ttdt\":\"2024-03-08T06:36:26.9255475Z\",\"ttr\":\"Success_MessageQuarantined\",\"dm\":\"FingerPrintMatch\",\"eid\":\"8eb55d20-0a68-4d50-b925-08dc3ef6c5f5-10491611914247298773-1\",\"aii\":\"8eb55d20-0a68-4d50-b925-08dc3ef6c5f5\",\"thn\":\"Phish, Malicious\",\"ts\":\"2024-03-08T06:35:26.9255475Z\",\"te\":\"2024-03-08T06:37:26.9255475Z\",\"fvs\":\"Filters\",\"tpt\":\"HostedContentFilterPolicy\",\"tpid\":\"ffe2a155-535f-484f-83da-ffb922b46af5\",\"tid\":\"6915b1e0-b081-4829-8866-f1a3e883a9ae\",\"tht\":\"Phish, Malicious\",\"trc\":\"victim@attack_range.lan\",\"tsd\":\"attacker@bad_guy.lol\",\"tdc\":\"1\",\"cpid\":null,\"lon\":\"Protection\"}", "EntityType": "MalwareFamily", "Id": "df3aa5ed-2c8e-4286-443e-08dc3f3b1a86", "Name": "Email messages removed after delivery\u200b", "ObjectId": "8eb55d20-0a68-4d50-b925-08dc3ef6c5f5-10491611914247298773-1", "Operation": "AlertEntityGenerated", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "PolicyId": "b8f6b088-5487-4c70-037c-08d8d71a43fe", "RecordType": 40, "ResultStatus": "Succeeded", "Severity": "Informational", "Source": "Office 365 Security & Compliance", "Status": "Active", "UserId": "SecurityComplianceAlerts", "UserKey": "SecurityComplianceAlerts", "UserType": 4, "Version": 1, "Workload": "SecurityComplianceCenter"} {"AlertEntityId": "4fbe697f-a39f-47c2-83af-08dc3ecabde3-1695105148134860565-1", "AlertId": "0206039f-0c31-54eb-ec00-08dc3f053668", "AlertLinks": [{"AlertLinkHref": ""}], "AlertType": "System", "Category": "ThreatManagement", "Comments": "New alert", "CreationTime": "2024-03-08T00:29:25", "Data": "{\"etype\":\"MalwareFamily\",\"at\":\"2024-03-08T00:18:22.5129181Z\",\"md\":\"2024-03-07T17:23:46.0000000Z\",\"sip\":\"40.107.241.113\",\"ms\":\"user_#5628\",\"imsgid\":\"<1WTM.8E3EW.46E48ED30D8CEZNGS8X0ACD632BJ2FDAA6746EF42EAFA.777da16f-0985-4784-b0bd-add496d7295a@takepayments-ltd.com>\",\"ttdt\":\"2024-03-08T00:18:22.5129181Z\",\"ttr\":\"Success_MessageQuarantined\",\"dm\":\"Campaign\",\"eid\":\"4fbe697f-a39f-47c2-83af-08dc3ecabde3-1695105148134860565-1\",\"aii\":\"4fbe697f-a39f-47c2-83af-08dc3ecabde3\",\"thn\":\"Phish, Malicious\",\"ts\":\"2024-03-08T00:17:22.5129181Z\",\"te\":\"2024-03-08T00:19:22.5129181Z\",\"fvs\":\"Filters\",\"tpt\":\"HostedContentFilterPolicy\",\"tpid\":\"ffe2a155-535f-484f-83da-ffb922b46af5\",\"tid\":\"6915b1e0-b081-4829-8866-f1a3e883a9ae\",\"tht\":\"Phish, Malicious\",\"trc\":\"victim@attack_range.lan\",\"tsd\":\"attacker@bad_guy.lol\",\"tdc\":\"1\",\"cpid\":\"FD6259AF.BB3774A2.7DF193DE.D8CC79CA.20079\",\"lon\":\"Protection\"}", "EntityType": "MalwareFamily", "Id": "110ba89a-999a-4486-f1ed-08dc3f06cf3a", "Name": "Email messages from a campaign removed after delivery\u200b", "ObjectId": "4fbe697f-a39f-47c2-83af-08dc3ecabde3-1695105148134860565-1", "Operation": "AlertEntityGenerated", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "PolicyId": "c8522cbb-9368-4e25-4ee9-08d8d899dfab", "RecordType": 40, "ResultStatus": "Succeeded", "Severity": "Informational", "Source": "Office 365 Security & Compliance", "Status": "Active", "UserId": "SecurityComplianceAlerts", "UserKey": "SecurityComplianceAlerts", "UserType": 4, "Version": 1, "Workload": "SecurityComplianceCenter"} {"AlertEntityId": "victim@attack_range.lan", "AlertId": "0fc7c983-2c17-e6e1-0c00-08dc3ee827c0", "AlertLinks": [{"AlertLinkHref": ""}], "AlertType": "System", "Category": "ThreatManagement", "Comments": "New alert", "CreationTime": "2024-03-07T20:51:55", "Data": "{\"etype\":\"User\",\"eid\":\"victim@attack_range.lan\",\"tid\":\"6915b1e0-b081-4829-8866-f1a3e883a9ae\",\"ts\":\"2024-03-07T20:49:42.0000000Z\",\"te\":\"2024-03-07T20:49:42.0000000Z\",\"op\":\"UserSubmission\",\"tdc\":\"1\",\"suid\":\"victim@attack_range.lan\",\"ut\":\"Regular\",\"ssic\":\"0\",\"tsd\":\"HelpDesk info \",\"sip\":\"40.107.101.127\",\"srt\":\"1\",\"trc\":\"victim@attack_range.lan\",\"ms\":\"victim@attack_range.lan: Password System Reminder - Tue March 5, 2024 PmyX1\",\"sid\":\"83be711a-4e79-414a-fb17-08dc3ee81d41\",\"aii\":\"36a3359a-ec7e-46ec-37da-08dc3ee70925\",\"md\":\"2024-03-07T20:41:59.0000000Z\",\"etps\":\"KesMailId:6932609791690374;FingerprintData:E3AC72DF.29EA1F12.20F79D8B.42EBCAC1.20512;SubmissionCategory:Email;RescanVerdict:Phish;SubmissionSource:Microsoft;SubmissionId:18b42745-6a14-4b6b-d62b-08dc3ee801a4;OriginalVerdict:NotSpam\",\"lon\":\"UserSubmission\"}", "EntityType": "User", "Id": "26035099-e431-4f26-4cee-08dc3ee86caa", "Name": "Email reported by user as malware or phish", "ObjectId": "victim@attack_range.lan", "Operation": "AlertEntityGenerated", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "PolicyId": "b26a5770-0c38-434a-9380-3a3c2c27bbb3", "RecordType": 40, "ResultStatus": "Succeeded", "Severity": "Low", "Source": "Office 365 Security & Compliance", "Status": "Active", "UserId": "SecurityComplianceAlerts", "UserKey": "SecurityComplianceAlerts", "UserType": 4, "Version": 1, "Workload": "SecurityComplianceCenter"} {"AlertEntityId": "victim@attack_range.lan", "AlertId": "d4dd0ec8-a239-e106-a400-08dc3edfc5fb", "AlertLinks": [{"AlertLinkHref": ""}], "AlertType": "System", "Category": "ThreatManagement", "Comments": "New alert", "CreationTime": "2024-03-07T19:51:54", "Data": "{\"etype\":\"User\",\"eid\":\"victim@attack_range.lan\",\"tid\":\"6915b1e0-b081-4829-8866-f1a3e883a9ae\",\"ts\":\"2024-03-07T19:49:37.0000000Z\",\"te\":\"2024-03-07T19:49:37.0000000Z\",\"op\":\"UserSubmission\",\"tdc\":\"1\",\"suid\":\"victim@attack_range.lan\",\"ut\":\"Regular\",\"ssic\":\"0\",\"tsd\":\"=?UTF-8?Q?Splunk IT Team?= \",\"sip\":\"40.107.220.91\",\"srt\":\"1\",\"trc\":\"victim@attack_range.lan\",\"ms\":\"Splunk Scheduled System Maintenance - Ref: IPPFC97654\",\"sid\":\"505a0ccc-b15f-4464-6207-08dc3edfb84e\",\"aii\":\"85d0dc31-016a-40b6-27ff-08dc3edf3a89\",\"md\":\"2024-03-07T19:46:06.0000000Z\",\"etps\":\"KesMailId:10591780193962181;FingerprintData:FCDCEDDD.8692179A.BAFC91F7.4CD9718C.20315;SubmissionCategory:Email;RescanVerdict:Malware;SubmissionSource:Microsoft;SubmissionId:f935da81-cbec-446b-c4d1-08dc3edf8299;OriginalVerdict:NotSpam\",\"lon\":\"UserSubmission\"}", "EntityType": "User", "Id": "a4efeb3c-073b-4703-a42b-08dc3ee00a1c", "Name": "Email reported by user as malware or phish", "ObjectId": "victim@attack_range.lan", "Operation": "AlertEntityGenerated", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "PolicyId": "b26a5770-0c38-434a-9380-3a3c2c27bbb3", "RecordType": 40, "ResultStatus": "Succeeded", "Severity": "Low", "Source": "Office 365 Security & Compliance", "Status": "Active", "UserId": "SecurityComplianceAlerts", "UserKey": "SecurityComplianceAlerts", "UserType": 4, "Version": 1, "Workload": "SecurityComplianceCenter"} {"AlertEntityId": "victim@attack_range.lan", "AlertId": "34c3552f-48c6-f73a-5000-08dc3c86ca79", "AlertLinks": [{"AlertLinkHref": ""}], "AlertType": "System", "Category": "ThreatManagement", "Comments": "New alert", "CreationTime": "2024-03-04T20:39:28", "Data": "{\"etype\":\"User\",\"eid\":\"victim@attack_range.lan\",\"tid\":\"6915b1e0-b081-4829-8866-f1a3e883a9ae\",\"ts\":\"2024-03-04T20:07:40.0000000Z\",\"te\":\"2024-03-04T20:07:40.0000000Z\",\"op\":\"UserSubmission\",\"tdc\":\"1\",\"suid\":\"victim@attack_range.lan\",\"ut\":\"Regular\",\"ssic\":\"0\",\"tsd\":\"Some Contact \",\"sip\":\"208.75.123.228\",\"srt\":\"0\",\"trc\":\"victim@attack_range.lan\",\"ms\":\"Managed Derping: The 2024 Conference (May 13 - 14, 2024; Chicago, IL)\",\"sid\":\"9ad2cf4b-f2e0-4b43-d12b-08dc3c8a9d00\",\"aii\":\"2057335c-fec5-4601-b2fd-08dc3c6b3f98\",\"md\":\"2024-03-04T16:50:50.0000000Z\",\"etps\":\"KesMailId:1865750973252593;FingerprintData:32F9720C.8EE69306.23F33D7B.40E4B342.20421;SubmissionCategory:Email;RescanVerdict:Phish;SubmissionSource:Microsoft;SubmissionId:3b3bdde7-833c-4796-9a64-08dc3c866b2b;OriginalVerdict:NotSpam\",\"lon\":\"UserSubmission\"}", "EntityType": "User", "Id": "372a6a99-03ec-46f7-ac19-08dc3c8b300d", "Name": "Email reported by user as junk", "ObjectId": "victim@attack_range.lan", "Operation": "AlertEntityGenerated", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "PolicyId": "a0e277be-7157-4907-874e-93e7b5170657", "RecordType": 40, "ResultStatus": "Succeeded", "Severity": "Low", "Source": "Office 365 Security & Compliance", "Status": "Active", "UserId": "SecurityComplianceAlerts", "UserKey": "SecurityComplianceAlerts", "UserType": 4, "Version": 1, "Workload": "SecurityComplianceCenter"} {"BCLValue": 0, "CreationTime": "2024-03-19T17:00:45", "ExtendedProperties": [{"Name": "KesMailId", "Value": "5244983997104747"}, {"Name": "FingerprintData", "Value": "E7DA50AC.20135793.F9E79F7B.64E0FA09.2023B"}, {"Name": "SubmissionCategory", "Value": "Email"}, {"Name": "RescanVerdict", "Value": "Phish"}, {"Name": "SubmissionSource", "Value": "Microsoft"}, {"Name": "SubmissionId", "Value": "52d7a972-ed15-4f8f-8d33-08dc48361e53"}, {"Name": "OriginalVerdict", "Value": "NotSpam"}], "FilteringDate": "2024-03-19T17:00:45", "Id": "b2e771d3-a792-4733-3793-08dc483703c8", "InternetMessageId": "", "KesMailId": "5244983997104747", "Language": "en", "MessageDate": "2024-03-19T16:00:31", "ObjectId": "e8ec7db1-6f6c-46f4-3b34-08dc482db491", "Operation": "AdminSubmission", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "P1Sender": "attacker@bad_guy.lol", "P1SenderDomain": "bad_guy.lol", "P2Sender": "Some Badguy ", "P2SenderDomain": "bad_guy.lol", "Recipients": ["victim@attack_range.lan"], "RecordType": 29, "RescanResult": {"Id": "2f35f86d-ff7d-4e45-3793-08dc483703c8", "RescanVerdict": "Phish", "Timestamp": "2024-03-19T17:07:10"}, "SenderIP": "170.10.153.110", "Subject": "Attach Invoice - 3B08AED6-0002.pdf", "SubmissionConfidenceLevel": 1, "SubmissionContent": "Attach Invoice - 3B08AED6-0002.pdf", "SubmissionContentSubType": "NetworkMessageId", "SubmissionContentType": "Mail", "SubmissionId": "52d7a972-ed15-4f8f-8d33-08dc48361e53", "SubmissionState": "Rescaned", "SubmissionType": 1, "SubmitterDisplayName": "Security Admin", "SubmitterId": "1ea75aee-99d1-4b30-b467-92fc11cd79d8", "UserId": "securityadmin@attack_range.lan", "UserKey": "1ea75aee-99d1-4b30-b467-92fc11cd79d8", "UserType": 2, "Version": 1, "Workload": "SecurityComplianceCenter"} {"BCLValue": 0, "CreationTime": "2024-03-18T13:39:44", "ExtendedProperties": [{"Name": "KesMailId", "Value": "5244863738025373"}, {"Name": "FingerprintData", "Value": "56EAC46F.AF915E6B.1EE27EBB.FCC88CF8.200DF"}, {"Name": "SubmissionCategory", "Value": "Email"}, {"Name": "RescanVerdict", "Value": "Phish"}, {"Name": "SubmissionSource", "Value": "Microsoft"}, {"Name": "SubmissionId", "Value": "2dbc1d38-4157-4097-25a3-08dc4750def8"}, {"Name": "OriginalVerdict", "Value": "NotSpam"}], "FilteringDate": "2024-03-18T13:39:44", "Id": "17e23028-c892-4ede-4caa-08dc4751280f", "InternetMessageId": "<171074919530.47432.11290264828899322638@edd.ca.gov>", "KesMailId": "5244863738025373", "Language": "en", "MessageDate": "2024-03-18T08:06:37", "ObjectId": "feadce47-a12b-471d-0eb0-08dc472255eb", "Operation": "AdminSubmission", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "P1Sender": "attacker@bad_guy.lol", "P1SenderDomain": "bad_guy.lol", "P2Sender": "attacker@bad_guy.lol", "P2SenderDomain": "bad_guy.lol", "Recipients": ["victim@attack_range.lan"], "RecordType": 29, "RescanResult": {"Id": "2012a3ed-a420-4c50-4caa-08dc4751280f", "RescanVerdict": "Phish", "Timestamp": "2024-03-18T13:41:46"}, "SenderIP": "209.85.219.97", "Subject": "S79139-708 attack_range: Contract/Agreement", "SubmissionConfidenceLevel": 1, "SubmissionContent": "S79139-708 attack_range: Contract/Agreement", "SubmissionContentSubType": "NetworkMessageId", "SubmissionContentType": "Mail", "SubmissionId": "2dbc1d38-4157-4097-25a3-08dc4750def8", "SubmissionState": "Rescaned", "SubmissionType": 1, "SubmitterDisplayName": "Security Admin", "SubmitterId": "29ffae9c-810a-495d-b162-1c07a8c98824", "UserId": "securityadmin@attack_range.lan", "UserKey": "29ffae9c-810a-495d-b162-1c07a8c98824", "UserType": 2, "Version": 1, "Workload": "SecurityComplianceCenter"} {"CreationTime": "2024-03-20T19:37:12", "DetectionDate": "2024-03-20T19:36:17", "DetectionMethod": "AntiMalware", "EventDeepLink": "https://security.microsoft.com/threatexplorer?dltarget=Explorer&dlstorage=Url&viewid=MalwareContent&starttime=2024-02-18T23:59:59.002Z&endtime=2024-03-22T23:59:59.002Z&query-Id=feb1738d-d06d-4c05-6934-08dc49150132", "FileData": {"DocumentId": "aeea621a-9b0d-4be9-b9a7-874014e870b3", "FileName": "Magic8.exe", "FilePath": "https://attack_range-my.sharepoint.com/personal/attacker_attack_range_lan/Documents/Microsoft Teams Chat Files/Magic8.exe", "FileSize": "46592", "FileVerdict": 1, "MalwareFamily": "Malicious Payload", "SHA256": "6iQudVL0FxDOV0suDB5gmV5/WUCG3Sxgc6JdGOXe3Lc="}, "Id": "feb1738d-d06d-4c05-6934-08dc49150132", "LastModifiedBy": "attacker@attack_range.lan", "LastModifiedDate": "2024-03-20T19:27:57", "Operation": "AtpDetection", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 47, "SourceWorkload": 1, "UserId": "attacker@attack_range.lan", "UserKey": "ThreatIntel", "UserType": 4, "Version": 1, "Workload": "ThreatIntelligence"} {"AdditionalActionsAndResults": ["OriginalDelivery: [N/A]"], "AuthDetails": [{"Name": "SPF", "Value": "Pass"}, {"Name": "DKIM", "Value": "Pass"}, {"Name": "DMARC", "Value": "Pass"}, {"Name": "Comp Auth", "Value": "pass"}], "CreationTime": "2024-03-18T17:09:04", "DeliveryAction": "Delivered", "DetectionMethod": "URL malicious reputation", "DetectionType": "Inline", "Directionality": "Inbound", "EventDeepLink": "https://security.microsoft.com/?hash=/threatexplorer?messageParams=fb2b4405-a2cb-4f50-3ba4-08dc476df445,fb2b4405-a2cb-4f50-3ba4-08dc476df445-15286148646109860799-1,2024-03-18T00:00:00,2024-03-18T23:59:59&view=Phish", "Id": "c6acad26-d50a-2928-a781-9f459140924c", "InternetMessageId": "", "LatestDeliveryLocation": "Inbox", "MessageTime": "2024-03-18T17:07:57", "NetworkMessageId": "fb2b4405-a2cb-4f50-3ba4-08dc476df445", "ObjectId": "fb2b4405-a2cb-4f50-3ba4-08dc476df445152861486461098607991", "Operation": "TIMailData", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OriginalDeliveryLocation": "Inbox", "P1Sender": "bounce-22_html-153948378-154326-7220609-6141915@bounce.em.biglots.com", "P2Sender": "attacker@bad_guy.lol", "PhishConfidenceLevel": "Normal", "Recipients": ["victim@attack_range.lan"], "RecordType": 28, "SenderIp": "136.147.178.189", "Subject": "Here\u2019s your receipt!", "SystemOverrides": [{"Details": "Sender address list", "FinalOverride": "Yes", "Result": "Allow", "Source": "User"}], "ThreatsAndDetectionTech": ["Phish: [URL malicious reputation]"], "UserId": "ThreatIntel", "UserKey": "ThreatIntel", "UserType": 4, "Verdict": "Phish", "Version": 1, "Workload": "ThreatIntelligence"} {"AdditionalActionsAndResults": ["OriginalDelivery: [N/A]"], "AttachmentData": [{"FileName": "NIM REPAIR QUOTE.pdf", "FileType": "pdf", "FileVerdict": 0, "SHA256": "262c8b9099a45508434dc2c71ed4e8a1b5d983128774c91ffcbf4d45d814b220"}], "AuthDetails": [{"Name": "SPF", "Value": "Pass"}, {"Name": "DKIM", "Value": "Pass"}, {"Name": "DMARC", "Value": "Pass"}, {"Name": "Comp Auth", "Value": "pass"}], "CreationTime": "2024-02-26T13:53:01", "DeliveryAction": "Delivered", "DetectionMethod": "URL malicious reputation", "DetectionType": "Inline", "Directionality": "Inbound", "EventDeepLink": "https://security.microsoft.com/?hash=/threatexplorer?messageParams=c0a19d5a-daf1-4b06-cd52-08dc36d1d977,c0a19d5a-daf1-4b06-cd52-08dc36d1d977-4725491278877047725-1,2024-02-26T00:00:00,2024-02-26T23:59:59&view=Phish", "Id": "96fa0387-4391-6cc8-9f24-33cf40094714", "InternetMessageId": "", "LatestDeliveryLocation": "Inbox", "MessageTime": "2024-02-26T13:51:01", "NetworkMessageId": "c0a19d5a-daf1-4b06-cd52-08dc36d1d977", "ObjectId": "c0a19d5a-daf1-4b06-cd52-08dc36d1d97747254912788770477251", "Operation": "TIMailData", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OriginalDeliveryLocation": "Inbox", "P1Sender": "prvs=578680ba83=attacker@bad_guy.lol", "P2Sender": "attacker@bad_guy.lol", "PhishConfidenceLevel": "Normal", "Recipients": ["victim@attack_range.lan"], "RecordType": 28, "SenderIp": "148.163.152.7", "Subject": "Fwd: NIM VITAL System Repair", "SystemOverrides": [{"Details": "Sender domain list (Safe domain / Blocked domain)", "FinalOverride": "Yes", "Result": "Allow", "Source": "Tenant"}], "ThreatsAndDetectionTech": ["Phish: [URL malicious reputation]", "Spam: [Advanced filter]"], "UserId": "ThreatIntel", "UserKey": "ThreatIntel", "UserType": 4, "Verdict": "Phish", "Version": 1, "Workload": "ThreatIntelligence"} {"AdditionalActionsAndResults": ["OriginalDelivery: [N/A]"], "AuthDetails": [{"Name": "SPF", "Value": "Pass"}, {"Name": "DKIM", "Value": "None"}, {"Name": "DMARC", "Value": "Fail"}, {"Name": "Comp Auth", "Value": "fail"}], "CreationTime": "2024-03-08T10:58:44", "DeliveryAction": "Blocked", "DetectionMethod": "URL malicious reputation", "DetectionType": "Inline", "Directionality": "Inbound", "EventDeepLink": "https://security.microsoft.com/?hash=/threatexplorer?messageParams=e966856c-2e13-4f27-4513-08dc3f5e9361,e966856c-2e13-4f27-4513-08dc3f5e9361-1456383678172396280-1,2024-03-08T00:00:00,2024-03-08T23:59:59&view=Phish", "Id": "f54ccff4-ba9f-4954-457b-6ccc2d49648b", "InternetMessageId": "", "LatestDeliveryLocation": "Quarantine", "MessageTime": "2024-03-08T10:57:46", "NetworkMessageId": "e966856c-2e13-4f27-4513-08dc3f5e9361", "ObjectId": "e966856c-2e13-4f27-4513-08dc3f5e936114563836781723962801", "Operation": "TIMailData", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OriginalDeliveryLocation": "Quarantine", "P1Sender": "no-reply-ads-restriction-case-k8166=outlook.com__@0-359lmf27vg95aa.hr2e8o1r6d0oioqi.09crwpuc71su51dn.6tn7m10.kb-ot5ymas.na245.bnc.salesforce.com", "P2Sender": "attacker@bad_guy.lol", "PhishConfidenceLevel": "High", "Policy": "HighConfidencePhish", "PolicyAction": "Quarantine", "Recipients": ["victim@attack_range.lan"], "RecordType": 28, "SenderIp": "13.110.242.183", "Subject": "Important Notice: Required Action to Address Copyright Infringement", "SystemOverrides": [], "ThreatsAndDetectionTech": ["Phish: [URL malicious reputation]"], "UserId": "ThreatIntel", "UserKey": "ThreatIntel", "UserType": 4, "Verdict": "Phish", "Version": 1, "Workload": "ThreatIntelligence"} {"AdditionalActionsAndResults": ["OriginalDelivery: [N/A]"], "AttachmentData": [{"FileName": "BJVHCG!!.pdf", "FileType": "pdf", "FileVerdict": 1, "MalwareFamily": "Scam_PDF_Norton_M", "SHA256": "b7e8a516206134071ba2868600b6d62eeb421fce16c4700c9399fa46d5127fbf"}], "AuthDetails": [{"Name": "SPF", "Value": "Pass"}, {"Name": "DKIM", "Value": "Pass"}, {"Name": "DMARC", "Value": "Pass"}, {"Name": "Comp Auth", "Value": "pass"}], "CreationTime": "2024-03-19T11:39:21", "DeliveryAction": "Blocked", "DetectionMethod": "File detonation reputation", "DetectionType": "Inline", "Directionality": "Inbound", "EventDeepLink": "https://security.microsoft.com/?hash=/threatexplorer?messageParams=14742693-1a1a-4fbc-db85-08dc4808fbd2,14742693-1a1a-4fbc-db85-08dc4808fbd2-1568395857471009376-1,2024-03-19T00:00:00,2024-03-19T23:59:59&view=Malware", "Id": "b048dfad-f435-e166-58e0-79575e66b0c3", "InternetMessageId": "", "LatestDeliveryLocation": "Quarantine", "MessageTime": "2024-03-19T11:37:47", "NetworkMessageId": "14742693-1a1a-4fbc-db85-08dc4808fbd2", "ObjectId": "14742693-1a1a-4fbc-db85-08dc4808fbd215683958574710093761", "Operation": "TIMailData", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OriginalDeliveryLocation": "Quarantine", "P1Sender": "attacker@bad_guy.lol", "P2Sender": "attacker@bad_guy.lol", "PhishConfidenceLevel": "High", "Policy": "SafeAttachements", "PolicyAction": "Quarantine", "Recipients": ["victim@attack_range.lan"], "RecordType": 28, "SenderIp": "209.85.216.45", "Subject": "invoice Copy", "SystemOverrides": [], "ThreatsAndDetectionTech": ["Malware: [File detonation reputation]", "Phish: [Advanced filter]"], "UserId": "ThreatIntel", "UserKey": "ThreatIntel", "UserType": 4, "Verdict": "Malware", "Version": 1, "Workload": "ThreatIntelligence"} {"AppAccessContext": {"ClientAppId": "00000007-0000-0ff1-ce00-000000000000", "ClientAppName": "00000007-0000-0ff1-ce00-000000000000", "CorrelationId": "74f816a1-500e-0000-03f9-86a19a6727cf"}, "ApplicationDisplayName": "00000007-0000-0ff1-ce00-000000000000", "ApplicationId": "00000007-0000-0ff1-ce00-000000000000", "AuthenticationType": "OAuth", "BrowserName": "", "BrowserVersion": "", "ClientIP": "2a01:111:f400:fe5a::100", "CorrelationId": "74f816a1-500e-0000-03f9-86a19a6727cf", "CreationTime": "2024-03-20T19:33:10", "DeviceDisplayName": "2a01:111:2053:70e::ad4:4b49", "EventSource": "SharePoint", "HighPriorityMediaProcessing": false, "Id": "3bc470eb-932d-40d7-91ca-08dc49149360", "IsManagedDevice": false, "ItemType": "File", "ListBaseType": 0, "ListId": "92e39b57-9f80-4494-b2da-d041436aa23a", "ListItemUniqueId": "aeea621a-9b0d-4be9-b9a7-874014e870b3", "ListServerTemplate": 0, "ObjectId": "https://attack_range-my.sharepoint.com/personal/attacker_attack_range_lan/Documents/Microsoft Teams Chat Files/Magic8.exe", "Operation": "FileMalwareDetected", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "Platform": "Service", "RecordType": 6, "Site": "4fcfdc04-9f58-4206-8538-775f5f8da9d9", "SiteUrl": "https://attack_range-my.sharepoint.com/personal/attacker_attack_range_lan/", "SourceFileExtension": "exe", "SourceFileName": "Magic8.exe", "SourceRelativeUrl": "Documents/Microsoft Teams Chat Files", "UserAgent": "MS Scanner ATP", "UserId": "app@sharepoint", "UserKey": "i:0i.t|00000003-0000-0ff1-ce00-000000000000|app@sharepoint", "UserType": 0, "Version": 1, "VirusInfo": "Malicious Payload#", "VirusVendor": "Advanced Threat Protection", "WebId": "84f9cc67-d868-4b28-8a53-ae32a40abae4", "Workload": "OneDrive"} {"CreationTime": "2024-03-18T18:34:40", "ExtendedProperties": [{"Name": "DownloadHeaders", "Value": "True"}, {"Name": "MailboxId", "Value": "victim@attack_range.lan"}, {"Name": "InternetMessageId", "Value": "%3C4316b428-062e-4a86-a2b8-2f771979eb82%40sp-bounce.moneymagnetin.com%3E"}], "Id": "70c2e12e-ad2e-4dcb-9e8c-08dc477a12ef", "ObjectType": "EMail", "Operation": "AdminMailAccess", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 38, "UserId": "securityadmin@attack_range.lan", "UserKey": "1ea75aee-99d1-4b30-b467-92fc11cd79d8", "UserType": 2, "Version": 1, "Workload": "SecurityComplianceCenter"} {"AppAccessContext": {"IssuedAtTime": "2024-03-20T21:30:16", "UniqueTokenId": "1hiPi8Gvl0uIsX6Ngj1OAA"}, "AppId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", "AppPoolName": "MSExchangeAdminApiNetCore", "ClientAppId": "", "ClientIP": "189.135.168.197:29124", "CreationTime": "2024-03-20T21:35:16", "ExternalAccess": false, "Id": "9c6a0fca-4871-42bb-a8b9-08dc4925a22b", "ObjectId": "Leadership Anti-Impersonation", "Operation": "Set-AntiPhishPolicy", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "LV3PR08MB9628 (15.20.7386.023)", "Parameters": [{"Name": "SpoofQuarantineTag", "Value": "DefaultFullAccessPolicy"}, {"Name": "EnableUnauthenticatedSender", "Value": "True"}, {"Name": "MailboxIntelligenceQuarantineTag", "Value": "DefaultFullAccessPolicy"}, {"Name": "EnableTargetedDomainsProtection", "Value": "False"}, {"Name": "TargetedDomainActionRecipients", "Value": ""}, {"Name": "EnableSimilarUsersSafetyTips", "Value": "False"}, {"Name": "MailboxIntelligenceProtectionAction", "Value": "Quarantine"}, {"Name": "TargetedUserActionRecipients", "Value": ""}, {"Name": "EnableMailboxIntelligenceProtection", "Value": "True"}, {"Name": "EnableUnusualCharactersSafetyTips", "Value": "False"}, {"Name": "HonorDmarcPolicy", "Value": "True"}, {"Name": "TargetedUserQuarantineTag", "Value": "DefaultFullAccessPolicy"}, {"Name": "EnableTargetedUserProtection", "Value": "True"}, {"Name": "EnableSimilarDomainsSafetyTips", "Value": "False"}, {"Name": "ExcludedDomains", "Value": "badguy.com"}, {"Name": "Identity", "Value": "Leadership Anti-Impersonation"}, {"Name": "ImpersonationProtectionState", "Value": "Manual"}, {"Name": "EnableSpoofIntelligence", "Value": "True"}, {"Name": "DmarcQuarantineAction", "Value": "Quarantine"}, {"Name": "AuthenticationFailAction", "Value": "Quarantine"}, {"Name": "TargetedDomainsToProtect", "Value": ""}, {"Name": "TargetedDomainProtectionAction", "Value": "Quarantine"}, {"Name": "EnableFirstContactSafetyTips", "Value": "False"}, {"Name": "EnableViaTag", "Value": "True"}, {"Name": "MailboxIntelligenceProtectionActionRecipients", "Value": ""}, {"Name": "DmarcRejectAction", "Value": "Reject"}, {"Name": "TargetedUsersToProtect", "Value": "Executive, Mister;mr.executive@attack_range.lan"}, {"Name": "EnableMailboxIntelligence", "Value": "True"}, {"Name": "AdminDisplayName", "Value": ""}, {"Name": "ExcludedSenders", "Value": "attacker@bad_guy.lol"}, {"Name": "TargetedUserProtectionAction", "Value": "Quarantine"}, {"Name": "PhishThresholdLevel", "Value": "3"}, {"Name": "TargetedDomainQuarantineTag", "Value": "DefaultFullAccessPolicy"}, {"Name": "EnableOrganizationDomainsProtection", "Value": "True"}], "RecordType": 1, "RequestId": "9789ecd6-49fd-65a3-e694-5cef33e8b018", "ResultStatus": "True", "SessionId": "28d6951d-fad0-48ce-9958-860df0188dba", "UserId": "attacker@attack_range.lan", "UserKey": "10032001E46E5F54", "UserType": 2, "Version": 1, "Workload": "Exchange"} {"AppAccessContext": {"IssuedAtTime": "2024-02-12T16:46:47", "UniqueTokenId": "o-c_mHHOI0yZjHJiKA9YAA"}, "AppId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", "AppPoolName": "MSExchangeAdminApiAppPool", "ClientAppId": "", "ClientIP": "189.135.168.197:11346", "CreationTime": "2024-02-12T16:51:49", "ExternalAccess": false, "Id": "8efbbc24-4a6d-4d1e-7c59-08dc2beae80a", "ObjectId": "Organization Wide", "Operation": "Set-SafeLinksRule", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SJ0PR08MB7681 (15.20.7270.031)", "Parameters": [{"Name": "Identity", "Value": "31726125-e0d1-4e10-91de-51c90501fdc8"}, {"Name": "SentTo", "Value": ""}, {"Name": "SentToMemberOf", "Value": ""}, {"Name": "RecipientDomainIs", "Value": "attack_range.lan;attack_range.onmicrosoft.com;attack_range.mail.onmicrosoft.com"}, {"Name": "ExceptIfSentTo", "Value": ""}, {"Name": "ExceptIfSentToMemberOf", "Value": ""}, {"Name": "ExceptIfRecipientDomainIs", "Value": ""}], "RecordType": 1, "RequestId": "0fdec6be-4a60-1635-d46a-5d84abdea483", "ResultStatus": "True", "SessionId": "0bc9525f-1242-46a0-9e31-c35cee28b317", "UserId": "attacker@attack_range.lan", "UserKey": "1003200143005E6B", "UserType": 2, "Version": 1, "Workload": "Exchange"} {"AppAccessContext": {"IssuedAtTime": "2024-02-01T22:21:33", "UniqueTokenId": "87Hz6J-5h0K6bJR_NT9QAA"}, "AppId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", "AppPoolName": "MSExchangeAdminApiAppPool", "ClientAppId": "", "ClientIP": "189.135.168.197:14381", "CreationTime": "2024-02-01T22:26:34", "ExternalAccess": false, "Id": "477ed988-73b0-493a-b3a9-08dc2374d903", "ObjectId": "Safe-Links Org-Wide", "Operation": "Disable-SafeLinksRule", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "BYAPR08MB5704 (15.20.7249.013)", "Parameters": [{"Name": "Identity", "Value": "56216be3-9e84-411a-af36-13f200007341"}], "RecordType": 1, "RequestId": "9f9f2ef1-0861-91d6-68da-af7ccdc0c5a2", "ResultStatus": "True", "SessionId": "c85d6a46-8c63-449b-9591-c3ab602dac97", "UserId": "attacker@attack_range.lan", "UserKey": "1003200143005E6B", "UserType": 2, "Version": 1, "Workload": "Exchange"} {"AppAccessContext": {"IssuedAtTime": "2024-02-01T22:14:33", "UniqueTokenId": "8VGzdfj16kKZQdp0uD5BAA"}, "AppId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", "AppPoolName": "MSExchangeAdminApiAppPool", "ClientAppId": "", "ClientIP": "189.135.168.197:12948", "CreationTime": "2024-02-01T22:26:20", "ExternalAccess": false, "Id": "a5b57a25-1aaa-49fb-9bff-08dc2374d0d1", "ObjectId": "attack_range.onmicrosoft.com\\Organization Wide", "Operation": "New-SafeLinksPolicy", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "BYAPR08MB5704 (15.20.7249.013)", "Parameters": [{"Name": "Name", "Value": "Organization Wide"}, {"Name": "ScanUrls", "Value": "True"}, {"Name": "DoNotRewriteUrls", "Value": ""}, {"Name": "CustomNotificationText", "Value": ""}, {"Name": "EnableSafeLinksForTeams", "Value": "True"}, {"Name": "EnableSafeLinksForEmail", "Value": "True"}, {"Name": "UseTranslatedNotificationText", "Value": "False"}, {"Name": "DisableUrlRewrite", "Value": "True"}, {"Name": "EnableForInternalSenders", "Value": "True"}, {"Name": "AllowClickThrough", "Value": "False"}, {"Name": "AdminDisplayName", "Value": "Created: 02/01/2024 - Security Admin"}, {"Name": "DeliverMessageAfterScan", "Value": "True"}, {"Name": "EnableSafeLinksForOffice", "Value": "True"}, {"Name": "EnableOrganizationBranding", "Value": "True"}, {"Name": "TrackClicks", "Value": "True"}], "RecordType": 1, "RequestId": "ea5540b7-d372-aec2-e09a-e22eb321d59d", "ResultStatus": "True", "SessionId": "c85d6a46-8c63-449b-9591-c3ab602dac97", "UserId": "attacker@attack_range.lan", "UserKey": "1003200143005E6B", "UserType": 2, "Version": 1, "Workload": "Exchange"} {"AppAccessContext": {"IssuedAtTime": "2024-01-11T18:54:02", "UniqueTokenId": "cJbYENC7C0Sghxy_rCoeAQ"}, "AppId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", "AppPoolName": "MSExchangeAdminApiAppPool", "ClientAppId": "", "ClientIP": "189.135.168.197:50345", "CreationTime": "2024-01-11T19:02:05", "ExternalAccess": false, "Id": "844c6328-ba9e-49ec-56a8-08dc12d7cd79", "ObjectId": "attack_range.onmicrosoft.com\\Strict Preset Security Policy1704999724791", "Operation": "New-SafeAttachmentPolicy", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "CH0PR08MB8662 (15.20.7181.018)", "Parameters": [{"Name": "Name", "Value": "Strict Preset Security Policy1704999724791"}, {"Name": "RecommendedPolicyType", "Value": "Strict"}], "RecordType": 1, "RequestId": "c1f39c31-373a-4e80-65e2-d9072d67de24", "ResultStatus": "True", "SessionId": "db6bdf1d-9004-4184-aca7-13ebe36a91ac", "UserId": "attacker@attack_range.lan", "UserKey": "1003BFFDAE65DE71", "UserType": 2, "Version": 1, "Workload": "Exchange"} {"AppAccessContext": {"IssuedAtTime": "2024-01-11T18:53:20", "UniqueTokenId": "7DDRIUurd0KlZ5lvp8ieBA"}, "AppId": "80ccca67-54bd-44ab-8625-4b79c4dc7775", "AppPoolName": "MSExchangeAdminApiAppPool", "ClientAppId": "", "ClientIP": "189.135.168.197:46342", "CreationTime": "2024-01-11T19:02:04", "ExternalAccess": false, "Id": "afc4377c-650c-4e0e-486c-08dc12d7cccb", "ObjectId": "attack_range.onmicrosoft.com\\Strict Preset Security Policy1704999723610", "Operation": "New-MalwareFilterPolicy", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "CH0PR08MB8662 (15.20.7181.018)", "Parameters": [{"Name": "Name", "Value": "Strict Preset Security Policy1704999723610"}, {"Name": "RecommendedPolicyType", "Value": "Strict"}], "RecordType": 1, "RequestId": "860df8a4-69b0-8027-31d8-67ac5b4a58a4", "ResultStatus": "True", "SessionId": "db6bdf1d-9004-4184-aca7-13ebe36a91ac", "UserId": "attacker@attack_range.lan", "UserKey": "1003BFFDAE65DE71", "UserType": 2, "Version": 1, "Workload": "Exchange"} {"ClientApplication": "EMC", "CmdletVersion": "...", "CreationTime": "2024-03-29T13:06:55", "EffectiveOrganization": "attack_range.onmicrosoft.com", "Id": "06ed3385-7cb8-4465-9513-e6c201946f53", "NonPIIParameters": "", "ObjectId": "", "Operation": "Get-ComplianceCase", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "Parameters": "", "RecordType": 18, "ResultStatus": "Success", "SecurityComplianceCenterEventType": 0, "StartTime": "2024-03-29T13:06:55", "UserId": "attacker@attack_range.lan", "UserKey": "attacker@attack_range.lan", "UserServicePlan": "", "UserType": 2, "Version": 1, "Workload": "SecurityComplianceCenter"} {"Case": "Super Confidential Case", "CreationTime": "2024-03-29T13:06:39", "ExchangeLocations": "", "ExtendedProperties": [{"Name": "CaseId", "Value": "13d45c9a-246a-4781-8924-7c2d05f25e71"}, {"Name": "CaseMembersSmtp", "Value": "victim@attack_range.lan"}, {"Name": "CaseMembersGuid", "Value": "b7f216e4-a535-4a9b-910b-42b0f78c092b,96b41157-00a8-46d0-866b-3d9589a334e5"}], "Id": "e610bcb4-6b0f-4175-5734-08dc4ff112a1", "ObjectId": "Super Confidential Case", "ObjectType": "Case", "Operation": "CaseViewed", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "Parameters": [{"Name": "CmdletOptions", "Value": "-Identity \"MTNkNDVjOWEtMjQ2YS00NzgxLTg5MjQtN2MyZDA1ZjI1ZTcx0\""}, {"Name": "Cmdlet", "Value": "Get-ComplianceCase"}], "PublicFolderLocations": "", "Query": "", "RecordType": 24, "SharepointLocations": "", "UserId": "attacker@attack_range.lan", "UserKey": "b7f216e4-a535-4a9b-910b-42b0f78c092b", "UserType": 0, "Version": 1, "Workload": "SecurityComplianceCenter"} {"AlertEntityId": "attacker@attack_range.lan", "AlertId": "edac5e08-5074-2c6c-0000-08dc4f372e66", "AlertLinks": [{"AlertLinkHref": ""}], "AlertType": "System", "Category": "ThreatManagement", "Comments": "New alert", "CreationTime": "2024-03-28T14:58:17", "Data": "{\"etype\":\"User\",\"eid\":\"attacker@attack_range.lan\",\"tid\":\"6915b1e0-b081-4829-8866-f1a3e883a9ae\",\"ts\":\"2024-03-28T14:55:24.0000000Z\",\"te\":\"2024-03-28T14:55:24.0000000Z\",\"op\":\"CompromisedAccount\",\"tdc\":\"1\",\"suid\":\"attacker@attack_range.lan\",\"ut\":\"System\",\"ssic\":\"0\",\"lon\":\"CompromisedAccount\"}", "EntityType": "User", "Id": "83657b83-3b91-442c-1641-08dc4f37804d", "Name": "User restricted from sending email", "ObjectId": "attacker@attack_range.lan", "Operation": "AlertEntityGenerated", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "PolicyId": "7a4e7306-bbcb-401f-b112-8ca5f798a230", "RecordType": 40, "ResultStatus": "Succeeded", "Severity": "High", "Source": "Office 365 Security & Compliance", "Status": "Active", "UserId": "SecurityComplianceAlerts", "UserKey": "SecurityComplianceAlerts", "UserType": 4, "Version": 1, "Workload": "SecurityComplianceCenter"} {"AlertEntityId": "attacker@attack_range.lan", "AlertId": "586ca008-1042-c1ea-4600-08dc2b5048e3", "AlertLinks": [{"AlertLinkHref": ""}], "AlertType": "System", "Category": "ThreatManagement", "Comments": "New alert", "CreationTime": "2024-02-11T22:27:25", "Data": "{\"etype\":\"User\",\"eid\":\"attacker@attack_range.lan\",\"tid\":\"6915b1e0-b081-4829-8866-f1a3e883a9ae\",\"ts\":\"2024-02-11T22:24:50.0000000Z\",\"te\":\"2024-02-11T22:24:50.0000000Z\",\"op\":\"EmailSendingLimitExceeded\",\"tdc\":\"1\",\"suid\":\"attacker@attack_range.lan\",\"ut\":\"System\",\"ssic\":\"0\",\"lon\":\"EmailSendingLimitExceeded\"}", "EntityType": "User", "Id": "ac7f0d9f-eb41-4137-fd09-08dc2b509f75", "Name": "Email sending limit exceeded", "ObjectId": "attacker@attack_range.lan", "Operation": "AlertEntityGenerated", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "PolicyId": "2cc44934-4d16-420b-b4e8-74a77fd0ab24", "RecordType": 40, "ResultStatus": "Succeeded", "Severity": "Medium", "Source": "Office 365 Security & Compliance", "Status": "Active", "UserId": "SecurityComplianceAlerts", "UserKey": "SecurityComplianceAlerts", "UserType": 4, "Version": 1, "Workload": "SecurityComplianceCenter"} {"AlertEntityId": "attacker@attack_range.lan", "AlertId": "db29e2e7-2480-2e76-5800-08dbd19c8638", "AlertLinks": [{"AlertLinkHref": ""}], "AlertType": "System", "Category": "ThreatManagement", "Comments": "New alert", "CreationTime": "2023-10-20T18:45:52", "Data": "{\"etype\":\"User\",\"eid\":\"attacker@attack_range.lan\",\"tid\":\"6915b1e0-b081-4829-8866-f1a3e883a9ae\",\"ts\":\"2023-10-20T18:43:38.0000000Z\",\"te\":\"2023-10-20T18:43:38.0000000Z\",\"op\":\"CompromisedWarningAccount\",\"tdc\":\"1\",\"suid\":\"attacker@attack_range.lan\",\"ut\":\"System\",\"ssic\":\"0\",\"lon\":\"CompromisedWarningAccount\"}", "EntityType": "User", "Id": "4d182c40-ed8f-4187-fc53-08dbd19cc982", "Name": "Suspicious email sending patterns detected", "ObjectId": "attacker@attack_range.lan", "Operation": "AlertEntityGenerated", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "PolicyId": "be215649-fba8-4339-9ddd-05991a43b948", "RecordType": 40, "ResultStatus": "Succeeded", "Severity": "Medium", "Source": "Office 365 Security & Compliance", "Status": "Active", "UserId": "SecurityComplianceAlerts", "UserKey": "SecurityComplianceAlerts", "UserType": 4, "Version": 1, "Workload": "SecurityComplianceCenter"} {"AppAccessContext": {"AADSessionId": "db6903cb-7633-4574-a602-9d0b211312b2", "ClientAppName": "Unknown", "CorrelationId": "ae3617a1-d097-0000-04fe-d03fd79ad5b6", "UniqueTokenId": "cWix_Ic8r0ytOcjRtLy5AA"}, "ApplicationDisplayName": "Unknown", "AuthenticationType": "FormsCookieAuth", "BrowserName": "Edge", "BrowserVersion": "122.0.0.0", "ClientIP": "189.135.168.197", "CorrelationId": "ae3617a1-d097-0000-04fe-d03fd79ad5b6", "CreationTime": "2024-03-21T13:41:05", "DeviceDisplayName": "189.135.168.197", "EventData": "5d3fc8f6-c10c-467b-901b-091788dd7bfd_0", "EventSource": "SharePoint", "Id": "82e317a0-22ad-4d37-dd27-08dc49ac8e8e", "IsManagedDevice": false, "ItemType": "Tenant", "ModifiedProperties": [{"Name": "AllowDomainList", "NewValue": "attack_range.lan,attack_range.com,attack_range_old....", "OldValue": "attack_range.lan,attack_range.com,attack_range_old...."}], "ObjectId": "", "Operation": "SharingPolicyChanged", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "Platform": "WinDesktop", "RecordType": 4, "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0", "UserId": "attacker@attack_range.lan", "UserKey": "i:0h.f|membership|1003200353e086c7@live.com", "UserType": 0, "Version": 1, "Workload": "SharePoint"} {"AppAccessContext": {"AADSessionId": "db6903cb-7633-4574-a602-9d0b211312b2", "ClientAppName": "Unknown", "CorrelationId": "ae3617a1-d097-0000-04fe-d03fd79ad5b6", "UniqueTokenId": "cWix_Ic8r0ytOcjRtLy5AA"}, "ApplicationDisplayName": "Unknown", "AuthenticationType": "FormsCookieAuth", "BrowserName": "Edge", "BrowserVersion": "122.0.0.0", "ClientIP": "189.135.168.197", "CorrelationId": "ae3617a1-d097-0000-04fe-d03fd79ad5b6", "CreationTime": "2024-03-21T13:41:05", "DeviceDisplayName": "189.135.168.197", "EventData": "5d3fc8f6-c10c-467b-901b-091788dd7bfd_1", "EventSource": "SharePoint", "Id": "82e317a0-22ad-4d37-dd27-08dc49ac8e8e", "IsManagedDevice": false, "ItemType": "Tenant", "ModifiedProperties": [{"Name": "AllowDomainList", "NewValue": "com,bad_guy.lol", "OldValue": "com"}], "ObjectId": "", "Operation": "SharingPolicyChanged", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "Platform": "WinDesktop", "RecordType": 4, "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0", "UserId": "attacker@attack_range.lan", "UserKey": "i:0h.f|membership|1003200353e086c7@live.com", "UserType": 0, "Version": 1, "Workload": "SharePoint"}