Quarantine Spam Reason | SOC Hunt Feed

Hunt Hypothesis

Adversaries may use spam emails to deliver malicious payloads, and quarantining these emails by detection method indicates potential phishing or malware distribution attempts. SOC teams should proactively hunt for this behavior to identify and mitigate targeted campaigns that bypass traditional email security defenses.

KQL Query

EmailEvents
| where EmailDirection == "Inbound" and DetectionMethods has 'Spam' and DeliveryLocation == "Quarantine"
| project DT=parse_json(DetectionMethods)| evaluate bag_unpack(DT)| summarize count() by Spam=tostring(column_ifexists('Spam', ''))
| render piechart

Analytic Rule Definition

id: 35b21933-9d3e-4919-b545-2ada20d26e8e
name: Quarantine Spam Reason
description: |
  This query visualises the total amount of spam emails that are quarantined, summarized by the detection method
description-detailed: |
  This query visualises the total amount of spam emails that are quarantined, summarized by the detection method
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  EmailEvents
  | where EmailDirection == "Inbound" and DetectionMethods has 'Spam' and DeliveryLocation == "Quarantine"
  | project DT=parse_json(DetectionMethods)| evaluate bag_unpack(DT)| summarize count() by Spam=tostring(column_ifexists('Spam', ''))
  | render piechart
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`EmailEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Quarantine/Quarantine Spam reason.yaml)

False Positive Guidance

Scenario: Scheduled email archiving job moves legitimate emails to quarantine
Filter/Exclusion: Exclude emails sent by the email archiving tool (e.g., Microsoft Exchange Archiving or Symantec Enterprise Vault) or filter by source IP of the archiving server.
Scenario: System administrator manually quarantines emails during a security incident response
Filter/Exclusion: Exclude emails where the sender is a system admin account (e.g., admin@company.com) or filter by the user who initiated the quarantine action.
Scenario: Email encryption tool temporarily quarantines emails during decryption process
Filter/Exclusion: Exclude emails associated with the email encryption tool (e.g., Microsoft Information Protection or Cisco Email Encryption) or filter by the encryption service’s quarantine label.
Scenario: Email gateway performs a legitimate quarantine of emails flagged by a false positive content filter
Filter/Exclusion: Exclude emails from known email gateways (e.g., Cisco IronPort, Proofpoint) or filter by the content filter rule name that caused the quarantine.
Scenario: Automated email classification tool misclassifies legitimate emails as spam and quarantines them
Filter/Exclusion: Exclude emails flagged by a specific classification tool (e.g., Google Workspace for Education, Microsoft Exchange Online Protection) or filter by the classification rule name.