Group quarantine release

Hunt Hypothesis

Adversaries may be leveraging group quarantine release events to exfiltrate data or evade detection by manipulating mailbox activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or evasion tactics tied to email security controls.

KQL Query

CloudAppEvents 
| where ActionType == "QuarantineReleaseMessage"
| extend parsed=parse_json(RawEventData)
| extend NetworkMessageId = tostring(parsed.NetworkMessageId)
| join EmailEvents on NetworkMessageId
| summarize count() by DetectionMethods
| order by count_ desc

Analytic Rule Definition

id: a12cac64-ea6d-46d4-91a6-262b165fb9ad
name: Group quarantine release
description: |
  This query helps in reviewing group Quarantine released messages by detection type. Useful to see what is leading to the largest number of messages being released.
description-detailed: |
  This query helps in reviewing group Quarantine released messages by detection type in Defender for Office 365. Useful to see what is leading to the largest number of messages being released.
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
      - CloudAppEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  CloudAppEvents 
  | where ActionType == "QuarantineReleaseMessage"
  | extend parsed=parse_json(RawEventData)
  | extend NetworkMessageId = tostring(parsed.NetworkMessageId)
  | join EmailEvents on NetworkMessageId
  | summarize count() by DetectionMethods
  | order by count_ desc
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`CloudAppEvents`	Ensure this data connector is enabled
`EmailEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Quarantine/Group quarantine release.yaml)

False Positive Guidance

Scenario: Scheduled Group Quarantine Release Job
Description: A legitimate scheduled job runs to release quarantined groups as part of routine maintenance or policy compliance.
Filter/Exclusion: process.name != "QuarantineReleaseScheduler" or event.type != "scheduled_job"
Scenario: Admin Manual Group Release via EDR Console
Description: An administrator manually releases a group from quarantine through the endpoint detection and response (EDR) console.
Filter/Exclusion: user.role != "admin" or tool.name != "EDR Console"
Scenario: Group Quarantine Release Triggered by Anti-Malware Scan
Description: A legitimate anti-malware scan identifies and releases a group from quarantine after confirming it is safe.
Filter/Exclusion: tool.name != "MalwareScanTool" or event.category != "anti_malware"
Scenario: Group Quarantine Release Due to Policy Update
Description: A policy change in the security platform automatically releases certain groups from quarantine.
Filter/Exclusion: event.type != "policy_update" or tool.name != "SecurityPolicyManager"
Scenario: Group Quarantine Release via API Integration
Description: A third-party system or internal automation tool triggers a group quarantine release via API integration.
Filter/Exclusion: source != "internal_api" or tool.name != "QuarantineAPIIntegration"