The hypothesis is that the detection identifies potential Qakbot malware activity leveraging Outlook for credential theft, indicating an adversary is compromising financial systems to exfiltrate sensitive data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage Qakbot campaigns before they escalate to ransomware or data breaches.
KQL Query
DeviceFileEvents
| where FolderPath hasprefix "EmailStorage"
| where FolderPath has "Outlook"
| project FileName, FolderPath, InitiatingProcessFileName,
InitiatingProcessCommandLine, DeviceId, Timestamp
id: 221ba640-3727-4b48-b30c-f5bb7398be7b
name: qakbot-campaign-outlook
description: |
This query was originally published in the threat analytics report, Qakbot blight lingers, seeds ransomware
Qakbot is malware that steals login credentials from banking and financial services. It has been deployed against small businesses as well as major corporations. Some outbreaks have involved targeted ransomware campaigns that use a similar set of techniques. Links to related queries are listed under See also.
The following query detects attempts to access files in the local path that contain Outlook emails.
Reference - https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
tactics:
- Discovery
query: |
DeviceFileEvents
| where FolderPath hasprefix "EmailStorage"
| where FolderPath has "Outlook"
| project FileName, FolderPath, InitiatingProcessFileName,
InitiatingProcessCommandLine, DeviceId, Timestamp
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Scheduled Outlook Data Backup Job
Description: A legitimate scheduled task runs a script to back up Outlook data, which may trigger the rule due to the presence of Outlook-related artifacts.
Filter/Exclusion: Exclude processes associated with Backup or DataBackup tasks, or filter by ProcessName = "Outlook.exe" and check for CommandLine containing backup or restore.
Scenario: Admin Performing Email Forensics with Outlook
Description: A security admin uses Outlook to investigate suspicious emails or analyze email headers, which may be flagged due to the presence of email-related activities.
Filter/Exclusion: Exclude processes initiated by users with the SecurityAdmin or DomainAdmin group, or filter by User field to exclude known admin accounts.
Scenario: Automated Email Archiving Tool Using Outlook
Description: A third-party email archiving tool (e.g., Mimecast, Symantec Enterprise Vault) uses Outlook to archive emails, which may trigger the rule due to Outlook process activity.
Filter/Exclusion: Exclude processes with ProcessName matching the archiving tool’s executable (e.g., EnterpriseVault.exe) or filter by Product field to exclude known archiving tools.
Scenario: System Maintenance Task Using Outlook for Reporting
Description: A system maintenance script or job uses Outlook to send reports or notifications, which may be flagged due to Outlook process activity.
Filter/Exclusion: Exclude tasks with CommandLine containing report, notification, or send, or filter by ProcessName to exclude known maintenance tools.
Scenario: User Accessing Outlook for Email Communication
Description: A regular user accesses Outlook for normal email communication, which may trigger the rule due to the presence of Outlook-related activities.
*Filter