Quarantine Spam Reason trend

Hunt Hypothesis

Adversaries may be using spam emails to distribute malicious payloads, leveraging quarantine trends to evade detection. SOC teams should proactively hunt for this behavior to identify potential phishing or malware distribution campaigns in their Azure Sentinel environment.

KQL Query

let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
let baseQuery = EmailEvents
| where Timestamp >= TimeStart
| where DetectionMethods has "Spam" and DeliveryLocation == "Quarantine";
let timerange = 
baseQuery
| summarize minTime = min(Timestamp), maxTime = max(Timestamp);
let ml=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
| where Spam has 'Advanced filter'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
| extend Details = "Advanced filter";
let gf=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
| where Spam has 'General filter'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
| extend Details = "General filter";
let bl=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
| where Spam has 'BulkFilter'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
| extend Details = "BulkFilter";
let mx=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
| where Spam has 'Mixed analysis detection'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
| extend Details = "Mixed analysis detection";
let frp=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
| where Spam has 'Fingerprint matching'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
| extend Details = "Fingerprint matching";
let umr=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
| where Spam has 'URL malicious reputation' 
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
| extend Details = "URL malicious reputation";
let dr=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
| where Spam has 'Domain reputation' 
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
| extend Details = "Domain reputation";
let ipr=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
| where Spam has 'IP reputation' 
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
| extend Details = "IP reputation";
union ml,gf,bl,mx,frp,umr,dr,ipr
| project Count, Details, Timestamp
| render timechart

Analytic Rule Definition

id: 014ffc5c-0ba5-49f9-989c-3833e0d1c2b8
name: Quarantine Spam Reason trend
description: |
  This query visualises the amount of spam emails that are quarantined, summarized daily by the detection method
description-detailed: |
  This query visualises the amount of spam emails that are quarantined, summarized daily by the detection method
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  let TimeStart = startofday(ago(30d));
  let TimeEnd = startofday(now());
  let baseQuery = EmailEvents
  | where Timestamp >= TimeStart
  | where DetectionMethods has "Spam" and DeliveryLocation == "Quarantine";
  let timerange = 
  baseQuery
  | summarize minTime = min(Timestamp), maxTime = max(Timestamp);
  let ml=baseQuery
  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
  | where Spam has 'Advanced filter'
  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
  | extend Details = "Advanced filter";
  let gf=baseQuery
  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
  | where Spam has 'General filter'
  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
  | extend Details = "General filter";
  let bl=baseQuery
  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
  | where Spam has 'BulkFilter'
  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
  | extend Details = "BulkFilter";
  let mx=baseQuery
  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
  | where Spam has 'Mixed analysis detection'
  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
  | extend Details = "Mixed analysis detection";
  let frp=baseQuery
  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
  | where Spam has 'Fingerprint matching'
  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
  | extend Details = "Fingerprint matching";
  let umr=baseQuery
  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
  | where Spam has 'URL malicious reputation' 
  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
  | extend Details = "URL malicious reputation";
  let dr=baseQuery
  | project Timestamp,RecipientEma

Required Data Sources

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Quarantine/Quarantine Spam reason trend.yaml)

False Positive Guidance

• Scenario: Daily email quarantine report generated by the email security gateway (e.g., Cisco Secure Email Gateway) during routine maintenance or reporting tasks.
  Filter/Exclusion: Exclude events where the source is the email security gateway’s internal reporting system or scheduled job.

• Scenario: A legitimate scheduled job (e.g., Microsoft Exchange Online’s mailbox export or archive process) moves emails to quarantine for compliance or legal hold purposes.
  Filter/Exclusion: Exclude events where the source is a known compliance or legal hold process, or where the email is tagged with a legal hold flag.

• Scenario: A system administrator manually quarantines emails for investigation (e.g., using Symantec Endpoint Protection or Microsoft Defender for Office 365) during a security incident response.
  Filter/Exclusion: Exclude events where the user is a system admin and the action is associated with a known incident response task or ticket.

• Scenario: A third-party service (e.g., Google Workspace for Education) automatically quarantines emails that fail spam checks during bulk email sending or import operations.
  Filter/Exclusion: Exclude events where the source is a known third-party service or where the email is part of a bulk import/export task.

• Scenario: A false positive from a security tool (e.g., CrowdStrike or Palo Alto Networks) that incorrectly flags legitimate emails as spam during a security update or rule update.
  Filter/Exclusion: Exclude events where the detection method is a security tool that recently underwent a rule update or where the email is associated with a known false positive signature.