Malware Detections by delivery location

Hunt Hypothesis

Adversaries may be using specific delivery locations to distribute malware, leveraging geographic patterns to evade traditional detection methods. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential targeted campaigns and disrupt malware distribution channels.

KQL Query

let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
EmailEvents
| where Timestamp >= TimeStart
| where DetectionMethods has "Malware" and EmailDirection == "Inbound"
| make-series TotalMalwareDetections=count(),Quarantine = countif(DeliveryLocation == "Quarantine"), Failed=countif(DeliveryLocation == "Failed") default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| render timechart

Analytic Rule Definition

id: cb99e25d-bcd9-435b-ad29-de08638b0f78
name: Malware Detections by delivery location
description: |
  This query visualises total emails with Malware detections over time summarizing the data daily by Delivery Location.
description-detailed: |
  This query visualises total emails with Malware detections over time summarizing the data daily by Delivery Location.
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  let TimeStart = startofday(ago(30d));
  let TimeEnd = startofday(now());
  EmailEvents
  | where Timestamp >= TimeStart
  | where DetectionMethods has "Malware" and EmailDirection == "Inbound"
  | make-series TotalMalwareDetections=count(),Quarantine = countif(DeliveryLocation == "Quarantine"), Failed=countif(DeliveryLocation == "Failed") default = 0 on Timestamp from TimeStart to TimeEnd step 1d
  | render timechart
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`EmailEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Malware/Malware Detections by Delivery Location.yaml)

False Positive Guidance

Scenario: Scheduled system backup using Veeam Backup & Replication
Filter/Exclusion: Exclude emails sent from the backup server’s IP address or filter by sender domain (e.g., backup@company.com)
Scenario: Automated patch deployment via Microsoft Intune or Windows Server Update Services (WSUS)
Filter/Exclusion: Exclude emails originating from the patch management server or filter by sender email address associated with the patching tool
Scenario: Regular log collection and analysis using Splunk or ELK Stack
Filter/Exclusion: Exclude emails sent from the log management server or filter by sender email address used for log forwarding
Scenario: Internal user-generated reports using Power BI or Tableau
Filter/Exclusion: Exclude emails sent from internal reporting tools or filter by sender email address associated with the reporting tool
Scenario: Automated email alerts from Microsoft Exchange or Google Workspace
Filter/Exclusion: Exclude emails with specific subject lines or sender domains associated with internal alerting systems (e.g., alerts@company.com)