Adversaries may use malware that evades traditional detection technologies, allowing them to persist undetected in the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential advanced threats that bypass standard malware detection controls.
KQL Query
EmailEvents
| where DetectionMethods has 'Malware'
| project Timestamp, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) | summarize count() by Malware=tostring(column_ifexists('Malware', ''))
| sort by count_ desc
| render piechart
id: 642057a3-e5af-46ce-a5f4-8968a5537dba
name: Malware Detections by Detection technology
description: |
This query visualises total emails with Malware detections summarizing the data by various Malware detection technologies/controls.
description-detailed: |
This query visualises total emails with Malware detections summarizing the data by various Malware detection technologies/controls in Microsoft Defender for Office 365.
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where DetectionMethods has 'Malware'
| project Timestamp, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) | summarize count() by Malware=tostring(column_ifexists('Malware', ''))
| sort by count_ desc
| render piechart
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: A scheduled system update job triggers a malware detection due to the inclusion of signed malware signatures in the antivirus database.
Filter/Exclusion: Exclude events where the detection is triggered by scheduled system updates or known safe payloads (e.g., process.name = "WindowsUpdate.exe" or file.hash = "known_update_signature").
Scenario: An administrator manually runs a malware scan using Microsoft Defender to test the environment, resulting in a false positive detection.
Filter/Exclusion: Exclude events where the source is a known admin task or scheduled scan (e.g., process.name = "MsMpEng.exe" and process.command_line LIKE '%ScanType=Full%').
Scenario: A legitimate CrowdStrike Falcon sensor performs a policy update, which temporarily triggers a malware detection due to signature updates.
Filter/Exclusion: Exclude events where the process is associated with a known sensor update (e.g., process.name = "falcon-sensor.exe" and process.command_line LIKE '%update%').
Scenario: A Snort rule update includes a new signature that falsely matches a legitimate file, causing a detection in the email gateway.
Filter/Exclusion: Exclude events where the detection is related to a recent Snort rule update (e.g., detection_technology = "Snort" and timestamp > [last_rule_update_time]).
Scenario: A Microsoft ATP (Advanced Threat Protection) rule incorrectly flags a legitimate PowerShell script used for routine system administration.
Filter/Exclusion: Exclude events where the process is associated with known admin tools (e.g., process.name = "powershell.exe" and process.command_line LIKE '%-Command%' or user = "admin_account")