CVE-2020-7796 Microsoft Sentinel · KQL

Detect Zimbra Collaboration Suite SSRF Exploitation (CVE-2020-7796) in Microsoft Sentinel

Detects exploitation attempts targeting CVE-2020-7796, a Server-Side Request Forgery (SSRF) vulnerability in Synacor Zimbra Collaboration Suite (ZCS). This vulnerability allows unauthenticated remote attackers to make the Zimbra server issue arbitrary HTTP requests to internal or external resources, potentially enabling internal network scanning, credential theft, or pivoting to internal services.

MITRE ATT&CK

Tactic
Reconnaissance Discovery Lateral Movement

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
union isfuzzy=true
(
  W3CIISLog
  | where csUriStem has_any ("/zimlet/", "/service/proxy", "/service/extension/zimbrabackup", "/Microsoft-Server-ActiveSync")
  | where csUriQuery has_any ("target=", "host=", "url=", "backend=", "redirect=")
  | where csUriQuery matches regex @"(?i)(target|host|url|backend|redirect)=https?://"
  | extend SuspiciousTarget = extract(@"(?i)(?:target|host|url|backend|redirect)=([^&\s]+)", 1, csUriQuery)
  | where SuspiciousTarget matches regex @"(?i)(169\.254\.|10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|localhost|127\.0\.0\.1|::1|metadata\.google|metadata\.internal|169\.254\.169\.254)"
  | project TimeGenerated, cIP, csHost, csMethod, csUriStem, csUriQuery, scStatus, SuspiciousTarget, Computer
)
,
(
  CommonSecurityLog
  | where DeviceVendor has_any ("Zimbra", "Synacor")
  | where RequestURL has_any ("/service/proxy", "/zimlet/", "/service/extension")
  | where RequestURL has_any ("target=", "host=", "url=")
  | project TimeGenerated, SourceIP, DestinationIP, RequestURL, DeviceVendor, DeviceProduct, Activity
)
| extend AccountName = coalesce(csHost, DestinationIP)
| summarize RequestCount = count(), UniqueTargets = dcount(SuspiciousTarget), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by SourceIP = coalesce(cIP, SourceIP), AccountName
| where RequestCount >= 1
| extend RiskScore = case(RequestCount > 20, "High", RequestCount > 5, "Medium", "Low")
| project FirstSeen, LastSeen, SourceIP, AccountName, RequestCount, UniqueTargets, RiskScore
high severity medium confidence

Detects SSRF exploitation attempts against Zimbra Collaboration Suite by identifying HTTP requests to known SSRF-vulnerable endpoints with internal network targets or metadata service URLs in query parameters.

Data Sources

IIS Web LogsCommon Security LogProxy LogsNetwork Flow Logs

Required Tables

W3CIISLogCommonSecurityLog

False Positives & Tuning

  • Legitimate Zimbra administrative proxying operations using the /service/proxy endpoint
  • Security scanner or vulnerability assessment tools performing authorized testing against Zimbra
  • Zimbra internal health checks or calendar/mail federation that involve URL parameters

Other platforms for CVE-2020-7796

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Zimbra SSRF via /service/proxy to Internal Metadata Service

    Expected signal: HTTP GET request to /service/proxy with target parameter set to 169.254.169.254 visible in Zimbra access logs; outbound network connection from Zimbra server to 169.254.169.254:80 visible in network flow data

  2. Test 2Zimbra SSRF Internal Port Scan via /service/proxy

    Expected signal: Multiple sequential requests to /service/proxy with varying port numbers in the target parameter; outbound connections from Zimbra host to internal IP across multiple ports within a short time window

  3. Test 3Zimbra SSRF to Internal Admin Interface via /zimlet/ Endpoint

    Expected signal: HTTP GET to /zimlet/ endpoint with backend parameter containing 127.0.0.1 and internal admin port 7071; loopback connection attempt from Zimbra process visible in netstat/ss output or network telemetry

  4. Test 4Zimbra SSRF Credential Harvest via AWS EC2 Metadata

    Expected signal: Two sequential requests to /service/proxy with IMDSv1 paths in target parameter; successful 200 response containing JSON with AccessKeyId, SecretAccessKey, and Token fields if running on AWS EC2 without IMDSv2 enforcement

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2020-7796 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0043ReconnaissanceTA0007DiscoveryTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1083File and Directory DiscoveryT1046Network Service DiscoveryT1552.005Cloud Instance Metadata API

Same Tactic: Reconnaissance

Popular Detections