Office Application Initiated Network Connection To Non-Local IP
Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. This rule will require an initial baseline and tuning that is specific to your organization.
Sigma rule (View on GitHub)
1title: Office Application Initiated Network Connection To Non-Local IP
2id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84
3status: test
4description: |
5 Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses.
6 This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292.
7 This rule will require an initial baseline and tuning that is specific to your organization.
8references:
9 - https://corelight.com/blog/detecting-cve-2021-42292
10 - https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
11author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
12date: 2021-11-10
13modified: 2025-10-17
14tags:
15 - attack.execution
16 - attack.t1203
17logsource:
18 category: network_connection
19 product: windows
20detection:
21 selection:
22 Image|endswith:
23 - '\excel.exe'
24 - '\outlook.exe'
25 - '\powerpnt.exe'
26 - '\winword.exe'
27 - '\wordview.exe'
28 Initiated: 'true'
29 filter_main_local_ranges:
30 DestinationIp|cidr:
31 - '127.0.0.0/8'
32 - '10.0.0.0/8'
33 - '172.16.0.0/12'
34 - '192.168.0.0/16'
35 - '169.254.0.0/16'
36 - '::1/128' # IPv6 loopback
37 - 'fe80::/10' # IPv6 link-local addresses
38 - 'fc00::/7' # IPv6 private addresses
39 filter_main_msrange_generic:
40 DestinationIp|cidr:
41 - '2.16.56.0/23' # Akamai International B.V.
42 - '2.17.248.0/21' # Akamai International B.V.
43 - '13.107.240.0/21' # Microsoft Corporation
44 - '20.184.0.0/13' # Microsoft Corporation
45 - '23.61.224.0/20' # Akamai-AS
46 - '20.192.0.0/10' # Microsoft Corporation
47 - '23.72.0.0/13' # Akamai International B.V.
48 - '23.3.88.0/22' # Akamai-AS
49 - '23.216.132.0/22' # Akamai-AS
50 - '40.76.0.0/14' # Microsoft Corporation
51 - '51.10.0.0/15' # Microsoft Corporation
52 - '51.103.0.0/16' # Microsoft Corporation
53 - '51.104.0.0/15' # Microsoft Corporation
54 - '51.142.136.0/22' # Microsoft Corporation - https://ipinfo.io/AS8075/51.140.0.0/14-51.142.136.0/22
55 - '52.160.0.0/11' # Microsoft Corporation - https://ipinfo.io/AS8075/52.160.0.0/11
56 - '95.101.96.0/21' # Akamai-As
57 - '204.79.197.0/24' # Microsoft Corporation
58 filter_main_msrange_exchange_1:
59 # Exchange Online
60 # "urls": [
61 # "outlook.cloud.microsoft",
62 # "outlook.office.com",
63 # "outlook.office365.com"
64 # ]
65 DestinationIp|cidr:
66 - '13.107.4.0/22'
67 - '13.107.6.152/31'
68 - '13.107.18.10/31'
69 - '13.107.42.0/23'
70 - '13.107.128.0/22'
71 - '23.35.224.0/20'
72 - '23.53.40.0/22'
73 - '23.103.160.0/20'
74 - '23.216.76.0/22'
75 - '40.96.0.0/13'
76 - '40.104.0.0/15'
77 - '52.96.0.0/14'
78 - '131.253.33.215/32'
79 - '132.245.0.0/16'
80 - '150.171.32.0/22'
81 - '204.79.197.215/32'
82 - '2603:1006::/40'
83 - '2603:1016::/36'
84 - '2603:1026::/36'
85 - '2603:1036::/36'
86 - '2603:1046::/36'
87 - '2603:1056::/36'
88 - '2620:1ec:4::152/128'
89 - '2620:1ec:4::153/128'
90 - '2620:1ec:c::10/128'
91 - '2620:1ec:c::11/128'
92 - '2620:1ec:d::10/128'
93 - '2620:1ec:d::11/128'
94 - '2620:1ec:8f0::/46'
95 - '2620:1ec:900::/46'
96 - '2620:1ec:a92::152/128'
97 - '2620:1ec:a92::153/128'
98 DestinationPort:
99 - 80
100 - 443
101 filter_main_msrange_exchange_2:
102 # Exchange Online
103 # "urls": [
104 # "outlook.office365.com",
105 # "smtp.office365.com"
106 # ]
107 DestinationIp|cidr:
108 - '13.107.6.152/31'
109 - '13.107.18.10/31'
110 - '13.107.128.0/22'
111 - '23.103.160.0/20'
112 - '40.96.0.0/13'
113 - '40.104.0.0/15'
114 - '52.96.0.0/14'
115 - '131.253.33.215/32'
116 - '132.245.0.0/16'
117 - '150.171.32.0/22'
118 - '204.79.197.215/32'
119 - '2603:1006::/40'
120 - '2603:1016::/36'
121 - '2603:1026::/36'
122 - '2603:1036::/36'
123 - '2603:1046::/36'
124 - '2603:1056::/36'
125 - '2620:1ec:4::152/128'
126 - '2620:1ec:4::153/128'
127 - '2620:1ec:c::10/128'
128 - '2620:1ec:c::11/128'
129 - '2620:1ec:d::10/128'
130 - '2620:1ec:d::11/128'
131 - '2620:1ec:8f0::/46'
132 - '2620:1ec:900::/46'
133 - '2620:1ec:a92::152/128'
134 - '2620:1ec:a92::153/128'
135 DestinationPort:
136 - 143
137 - 587
138 - 993
139 - 995
140 Protocol: 'tcp'
141 filter_main_msrange_exchange_3:
142 # Exchange Online
143 # "urls": [
144 # "*.protection.outlook.com"
145 # ]
146 DestinationIp|cidr:
147 - '40.92.0.0/15'
148 - '40.107.0.0/16'
149 - '52.100.0.0/14'
150 - '52.238.78.88/32'
151 - '104.47.0.0/17'
152 - '2a01:111:f400::/48'
153 - '2a01:111:f403::/48'
154 DestinationPort: 443
155 filter_main_msrange_exchange_4:
156 # Exchange Online
157 # "urls": [
158 # "*.mail.protection.outlook.com",
159 # "*.mx.microsoft"
160 # ]
161 DestinationIp|cidr:
162 - '40.92.0.0/15'
163 - '40.107.0.0/16'
164 - '52.100.0.0/14'
165 - '52.238.78.88/32'
166 - '104.47.0.0/17'
167 - '2a01:111:f400::/48'
168 - '2a01:111:f403::/48'
169 DestinationPort: 25
170 filter_main_msrange_sharepoint_1:
171 # SharePoint Online and OneDrive for Business",
172 # "urls": [
173 # "*.sharepoint.com"
174 # ]
175 DestinationIp|cidr:
176 - '13.107.136.0/22'
177 - '40.108.128.0/17'
178 - '52.104.0.0/14'
179 - '104.146.128.0/17'
180 - '150.171.40.0/22'
181 - '2603:1061:1300::/40'
182 - '2620:1ec:8f8::/46'
183 - '2620:1ec:908::/46'
184 - '2a01:111:f402::/48'
185 DestinationPort:
186 - 80
187 - 443
188 Protocol: 'tcp'
189 filter_main_msrange_office_1:
190 # Microsoft 365 Common and Office Online",
191 # "urls": [
192 # "*.officeapps.live.com",
193 # "*.online.office.com",
194 # "office.live.com",
195 # "office.com.akadns.net"
196 # ],
197 DestinationIp|cidr:
198 - '13.107.6.171/32'
199 - '13.107.18.15/32'
200 - '13.107.140.6/32'
201 - '20.64.0.0/10'
202 - '52.108.0.0/14'
203 - '52.244.37.168/32'
204 - '2603:1006:1400::/40'
205 - '2603:1016:2400::/40'
206 - '2603:1026:2400::/40'
207 - '2603:1036:2400::/40'
208 - '2603:1046:1400::/40'
209 - '2603:1056:1400::/40'
210 - '2603:1063:2000::/38'
211 - '2620:1ec:c::15/128'
212 - '2620:1ec:8fc::6/128'
213 - '2620:1ec:a92::171/128'
214 - '2a01:111:f100:2000::a83e:3019/128'
215 - '2a01:111:f100:2002::8975:2d79/128'
216 - '2a01:111:f100:2002::8975:2da8/128'
217 - '2a01:111:f100:7000::6fdd:6cd5/128'
218 - '2a01:111:f100:a004::bfeb:88cf/128'
219 DestinationPort:
220 - 80
221 - 443
222 Protocol: 'tcp'
223 filter_main_msrange_office_2:
224 # Microsoft 365 Common and Office Online
225 # "urls": [
226 # "*.auth.microsoft.com",
227 # "*.msftidentity.com",
228 # "*.msidentity.com",
229 # "account.activedirectory.windowsazure.com",
230 # "accounts.accesscontrol.windows.net",
231 # "adminwebservice.microsoftonline.com",
232 # "api.passwordreset.microsoftonline.com",
233 # "autologon.microsoftazuread-sso.com",
234 # "becws.microsoftonline.com",
235 # "ccs.login.microsoftonline.com",
236 # "clientconfig.microsoftonline-p.net",
237 # "cloudapp.azure.com",
238 # "companymanager.microsoftonline.com",
239 # "device.login.microsoftonline.com",
240 # "graph.microsoft.com",
241 # "graph.windows.net",
242 # "login-us.microsoftonline.com",
243 # "login.microsoft.com",
244 # "login.microsoftonline-p.com",
245 # "login.microsoftonline.com",
246 # "login.windows.net",
247 # "logincert.microsoftonline.com",
248 # "loginex.microsoftonline.com",
249 # "nexus.microsoftonline-p.com",
250 # "passwordreset.microsoftonline.com",
251 # "provisioningapi.microsoftonline.com",
252 # "web.core.windows.net",
253 # ]
254 DestinationIp|cidr:
255 - '172.128.0.0/10'
256 - '20.20.32.0/19'
257 - '20.103.156.88/32' # msn.com
258 - '20.190.128.0/18'
259 - '20.231.128.0/19'
260 - '40.126.0.0/18'
261 - '57.150.0.0/15'
262 - '2603:1006:2000::/48'
263 - '2603:1007:200::/48'
264 - '2603:1016:1400::/48'
265 - '2603:1017::/48'
266 - '2603:1026:3000::/48'
267 - '2603:1027:1::/48'
268 - '2603:1036:3000::/48'
269 - '2603:1037:1::/48'
270 - '2603:1046:2000::/48'
271 - '2603:1047:1::/48'
272 - '2603:1056:2000::/48'
273 - '2603:1057:2::/48'
274 DestinationPort:
275 - 80
276 - 443
277 Protocol: 'tcp'
278 filter_main_msrange_office_3:
279 # Microsoft 365 Common and Office Online
280 # "urls": [
281 # "*.compliance.microsoft.com",
282 # "*.data.microsoft.com",
283 # "*.protection.office.com",
284 # "*.security.microsoft.com",
285 # "compliance.microsoft.com",
286 # "defender.microsoft.com",
287 # "protection.office.com",
288 # "security.microsoft.com",
289 # "teams.microsoft.com",
290 # ]
291 DestinationIp|cidr:
292 - '13.64.0.0/11'
293 - '13.107.6.192/32'
294 - '13.107.9.192/32'
295 - '13.89.179.14/32'
296 - '20.40.0.0/14'
297 - '20.48.0.0/12'
298 - '20.64.0.0/12'
299 - '52.123.0.0/16'
300 - '52.108.0.0/14'
301 - '52.136.0.0/13'
302 - '57.150.0.0/15'
303 - '80.239.150.67/32' # Arelion Sweden AB
304 - '2620:1ec:4::192/128'
305 - '2620:1ec:a92::192/128'
306 DestinationPort: 443
307 Protocol: 'tcp'
308 filter_main_destination_host:
309 DestinationHostname|endswith: '.deploy.static.akamaitechnologies.com'
310 DestinationPort: 443
311 Protocol: 'tcp'
312 condition: selection and not 1 of filter_main_*
313falsepositives:
314 - You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.
315 - Office documents commonly have templates that refer to external addresses, like "sharepoint.ourcompany.com" may have to be tuned.
316 - It is highly recommended to baseline your activity and tune out common business use cases.
317level: medium
References
-
Learn how to detect the CVE-2021-42292 exploit, which relies on Excel fetching a second Excel file, through behavioral tricks.
Read More -
Zusammenfassung: Microsoft 365 erfordert eine Verbindung mit dem Internet. Die Endpunkte in diesem Artikel sollten für Kunden erreichbar sein, die Microsoft 365-Pläne verwenden, einschließlich Government Community Cloud (GCC).
Read More
Related rules
- Suspicious Download and Execute Pattern via Curl/Wget
- Antivirus Exploitation Framework Detection
- Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE
- Potentially Suspicious Child Process of KeyScrambler.exe
- Suspicious Invocation of Shell via Rsync