Adversaries may use malicious attachments to deliver payloads, leveraging SH256 hashes from external IOC sources to evade basic detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise vectors early.
KQL Query
let abuse_sha256 = (externaldata(sha256_hash: string)
[@"https://bazaar.abuse.ch/export/txt/sha256/recent/"]
with (format="txt"))
| where sha256_hash !startswith "#"
| project sha256_hash;
abuse_sha256
| join (EmailAttachmentInfo
| where Timestamp > ago(1d)
) on $left.sha256_hash == $right.SHA256
| project Timestamp,SenderFromAddress,RecipientEmailAddress,FileName,FileType,SHA256,ThreatTypes,DetectionMethods,NetworkMessageId,ReportId
id: 0da830c3-5d0e-4b98-bfa1-d5131a8d0ebe
name: Hunt for malicious attachments using external IOC source
description: |
This query helps hunt for emails with malicious attachments based on SH256 hash from external IOC source
description-detailed: |
This query helps hunt for emails with malicious attachments based on SH256 hash from external IOC source using Defender for Office 365 and Advance hunting in Microsoft Defender XDR
Reference - https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-best-practices#ingest-data-from-external-sources
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailAttachmentInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let abuse_sha256 = (externaldata(sha256_hash: string)
[@"https://bazaar.abuse.ch/export/txt/sha256/recent/"]
with (format="txt"))
| where sha256_hash !startswith "#"
| project sha256_hash;
abuse_sha256
| join (EmailAttachmentInfo
| where Timestamp > ago(1d)
) on $left.sha256_hash == $right.SHA256
| project Timestamp,SenderFromAddress,RecipientEmailAddress,FileName,FileType,SHA256,ThreatTypes,DetectionMethods,NetworkMessageId,ReportId
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailAttachmentInfo | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job with compressed files
Description: A scheduled backup job compresses and emails logs or system files using a legitimate compression tool like 7-Zip or WinRAR, which may include a file with a hash matching the IOC.
Filter/Exclusion: Exclude files with the .zip, .tar, or .7z extensions, or filter by the sender’s email address associated with the backup service.
Scenario: Admin task using PowerShell to generate reports
Description: An administrator uses PowerShell to generate a report and attaches it to an email, which may have a hash that coincidentally matches a known IOC.
Filter/Exclusion: Exclude files with the .ps1 or .psm1 extension, or filter by the sender’s email address associated with the admin team.
Scenario: Automated email reporting from SIEM tool
Description: A SIEM tool like Splunk or ELK Stack sends automated reports via email, and the attached file (e.g., .csv or .log) has a hash that matches the IOC.
Filter/Exclusion: Exclude files with the .csv, .log, or .txt extensions, or filter by the sender’s email address used by the SIEM tool.
Scenario: User-generated document export with hash collision
Description: A user exports a document from a tool like Microsoft Excel or Google Sheets and emails it, and the file hash coincidentally matches a known IOC.
Filter/Exclusion: Exclude files with the .xlsx, .xls, or .csv extensions, or filter by the user’s email address and device information.
Scenario: Internal tool for file sharing with embedded hash
Description: An internal file-sharing tool like Dropbox or Google Drive includes