Internal users may send emails with malicious attachments to external recipients, leveraging their trusted status to bypass email security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential insider threats and prevent lateral movement or data exfiltration.
KQL Query
EmailEvents
| where EmailDirection == "Intra-org" or EmailDirection == "Outbound"
| where ThreatTypes == "Malware" and SenderFromAddress !startswith "postmaster@" and SenderFromAddress !startswith "microsoftexchange"
| join (EmailAttachmentInfo | where isnotempty(ThreatTypes)) on NetworkMessageId
id: 07c85687-6dee-4266-9345-1e34de85d989
name: Email containing malware sent by an internal sender
description: |
In this query, we are looking for emails containing malware attachment sent by an internal sender
description-detailed: |
In this query, we are looking for emails containing malware attachment sent by an internal sender using Defender for Office 365 data
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- LateralMovement
relevantTechniques:
- T1534
query: |
EmailEvents
| where EmailDirection == "Intra-org" or EmailDirection == "Outbound"
| where ThreatTypes == "Malware" and SenderFromAddress !startswith "postmaster@" and SenderFromAddress !startswith "microsoftexchange"
| join (EmailAttachmentInfo | where isnotempty(ThreatTypes)) on NetworkMessageId
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailAttachmentInfo | Ensure this data connector is enabled |
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled Backup Job with Encrypted Archive
Description: A scheduled backup job (e.g., using Veeam or Commvault) sends an encrypted .zip file to an internal recipient as part of the backup process. The file may be flagged as suspicious due to its extension or content.
Filter/Exclusion: Exclude emails sent by the backup job service account (e.g., backup@company.com) or use a filter based on the subject line containing “Backup” or “Scheduled Backup”.
Scenario: Internal System Alert Email with Malware-Related Payload
Description: An internal security tool (e.g., CrowdStrike or Microsoft Defender for Endpoint) sends an email alert containing a malware-related payload (e.g., a detection report or remediation script) to the SOC team.
Filter/Exclusion: Exclude emails from the internal security tool’s alerting email address (e.g., security-alerts@company.com) or filter based on the email body containing keywords like “alert”, “detection”, or “remediation”.
Scenario: Internal User Sending a Malware-Scanned File for Review
Description: A security analyst sends an email with a file that was previously scanned and found to be benign, but the scanner still flags it due to residual signatures or false positives.
Filter/Exclusion: Exclude emails from the security analyst’s email address (e.g., security-team@company.com) or use a filter based on the email body containing “safe”, “benign”, or “reviewed”.
Scenario: Internal Job Sending a Malware-Related Report for Analysis
Description: An internal job (e.g., a SIEM correlation rule in Splunk or QRadar) generates an email report containing malware-related information (e.g., hashes, indicators) for analysis.
Filter/Exclusion: Exclude