Adversaries may use email to deliver malware by exploiting user trust, leveraging T1566 techniques to bypass email security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential email-based attacks before they cause significant damage.
KQL Query
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(ThreatNames)
| join kind=inner EmailAttachmentInfo on NetworkMessageId
| extend ThreatFamilyAttachment = strcat(format_datetime(Timestamp,'yyyy-M-dd H:mm:ss'), " /", ThreatNames, " /", FileName, " /", NetworkMessageId)
| summarize ThreatFamily_wih_Attachment= make_list(ThreatFamilyAttachment) by RecipientEmailAddress
| extend Case = array_length(ThreatFamily_wih_Attachment)
| project RecipientEmailAddress, Case, ThreatFamily_wih_Attachment
| sort by Case desc
id: 23dbd58b-23ce-42ae-b4d1-0dfdd35871ea
name: Email malware detection report
description: |
This query helps reviewing email malware detection cases
description-detailed: |
This query helps reviewing email malware detection cases in Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailAttachmentInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(ThreatNames)
| join kind=inner EmailAttachmentInfo on NetworkMessageId
| extend ThreatFamilyAttachment = strcat(format_datetime(Timestamp,'yyyy-M-dd H:mm:ss'), " /", ThreatNames, " /", FileName, " /", NetworkMessageId)
| summarize ThreatFamily_wih_Attachment= make_list(ThreatFamilyAttachment) by RecipientEmailAddress
| extend Case = array_length(ThreatFamily_wih_Attachment)
| project RecipientEmailAddress, Case, ThreatFamily_wih_Attachment
| sort by Case desc
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailAttachmentInfo | Ensure this data connector is enabled |
EmailEvents | Ensure this data connector is enabled |
Scenario: A scheduled system update job sends a report via email containing a temporary file path that matches a known malware signature.
Filter/Exclusion: Exclude emails sent by the system update scheduler (e.g., update-scheduler@domain.com) or filter based on the subject line containing “System Update Report”.
Scenario: An administrator uses a third-party email archiving tool (e.g., Mimecast) to send a malware scan report to the security team, which includes a file path that matches a false positive pattern.
Filter/Exclusion: Exclude emails originating from the archiving tool’s admin email address or include a custom header indicating the email is part of an archiving report.
Scenario: A user runs a malware scan using Microsoft Defender for Endpoint and receives an email summary that includes a file path from a legitimate system directory (e.g., C:\Windows\Temp\).
Filter/Exclusion: Exclude emails from the Microsoft Defender for Endpoint email notification service or filter based on the presence of a specific sender domain (e.g., microsoft.com).
Scenario: A nightly backup job sends an email confirmation with a temporary file name that matches a malware signature (e.g., backup_temp_12345.tmp).
Filter/Exclusion: Exclude emails sent by the backup job service (e.g., backup-service@domain.com) or filter based on the presence of a specific file extension or naming pattern.
Scenario: A security analyst manually reviews a malware sample using a sandbox environment (e.g., Cuckoo Sandbox) and sends an email report that includes the sandbox file path.
Filter/Exclusion: Exclude emails sent from the sandbox analysis tool’s admin email or filter based on the presence of a specific sandbox-related keyword in the email body.