Adversaries may be using compromised email accounts to send malware by leveraging top email sender domains to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control channels or lateral movement tactics.
KQL Query
EmailEvents
| where ThreatTypes has "Malware" and EmailDirection == "Inbound"
| summarize count() by SenderFromDomain
| sort by count_
| top 15 by count_
//| render columnchart // Uncomment to display as a column graph
//| render piechart // Uncomment to display as a piechart
id: c7274e0c-af01-43a3-ad63-6a679191cc7f
name: Email Top Domains sending Malware
description: |
This query visualises total inbound emails with Malware detections summarizing the data by the top email sender P2 domain (SenderFromDomain)
description-detailed: |
This query visualises total inbound emails with Malware detections summarizing the data by the top email sender P2 domain (SenderFromDomain)
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where ThreatTypes has "Malware" and EmailDirection == "Inbound"
| summarize count() by SenderFromDomain
| sort by count_
| top 15 by count_
//| render columnchart // Uncomment to display as a column graph
//| render piechart // Uncomment to display as a piechart
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job Sending Test Emails
Description: A scheduled job (e.g., Jenkins, Airflow) sends test emails to internal users for system validation, which may be flagged as suspicious due to the presence of malware in the email headers or attachments.
Filter/Exclusion: Exclude emails sent by known internal tools or scheduled jobs using the SenderFromDomain field. Example: SenderFromDomain NOT IN ("internal.smtp.example.com", "jenkins.example.com").
Scenario: Admin Task Using Email for Notifications
Description: An admin task (e.g., using PowerShell or Ansible) sends email notifications to users about system updates or alerts, which may be misclassified as malware due to the use of certain headers or attachments.
Filter/Exclusion: Exclude emails sent by admin tools using a specific SenderFromDomain or by users with admin privileges. Example: SenderFromDomain NOT IN ("admin.smtp.example.com", "smtp.example.com") OR UserPrincipalName LIKE "%admin%".
Scenario: Email Server Sending Bounce Emails
Description: The email server (e.g., Microsoft Exchange, Postfix) sends bounce emails or delivery status notifications (DSN) to users, which may be flagged as malware due to the content or structure of the email.
Filter/Exclusion: Exclude emails with specific subject lines or headers indicating bounce messages. Example: Subject NOT LIKE "%Delivery Status%" OR HeaderContains NOT IN ("X-Microsoft-Exchange-Notification").
Scenario: Internal Collaboration Tool Using Email for File Sharing
Description: An internal collaboration tool (e.g., Microsoft Teams, Slack via email integration) sends emails with attachments for file sharing, which may be flagged as malware due to the presence of file types or headers.
Filter/Exclusion: Exclude emails sent by internal collaboration tools using specific domains or headers