Adversaries may use Safe Attachments to bypass email security controls and exfiltrate data, leveraging this technique to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration attempts and mitigate advanced persistent threats.
KQL Query
EmailEvents
| where DetectionMethods != ""
| extend detection= tostring(parse_json(DetectionMethods).Phish)
| where detection has "File detonation reputation" or detection has "File detonation"
| summarize total=count() by bin(Timestamp, 1d)
| order by Timestamp asc
id: 16eda414-1550-4cdc-8512-0769901d3f05
name: Safe Attachments detections
description: |
This query provides insights on the detections done by Safe Attachment detections
description-detailed: |
This query provides insights on the detections done by Safe Attachment detections.
Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where DetectionMethods != ""
| extend detection= tostring(parse_json(DetectionMethods).Phish)
| where detection has "File detonation reputation" or detection has "File detonation"
| summarize total=count() by bin(Timestamp, 1d)
| order by Timestamp asc
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled Backup Job with Encrypted Files
Description: A scheduled backup job compresses and encrypts files using tools like Veeam Backup & Replication or Commvault, which may trigger Safe Attachments due to the presence of encrypted content.
Filter/Exclusion: Exclude files with known encryption headers (e.g., .7z, .zip, .tar.gz) or use a filter based on the source IP of the backup server.
Scenario: Admin Task to Send Secure Email
Description: An admin sends a secure email using Microsoft Exchange Online with Safe Attachments enabled, which may flag the email as a detection due to the use of encrypted or sanitized attachments.
Filter/Exclusion: Exclude emails sent from admin accounts (e.g., admin@domain.com) or use a sender IP filter to exclude internal mail servers.
Scenario: Automated Report Generation with Encrypted Attachments
Description: A Power BI or Power Automate job generates a report with an encrypted attachment (e.g., using 7-Zip or WinRAR) and sends it via email, triggering Safe Attachments.
Filter/Exclusion: Exclude attachments with specific file extensions (e.g., .7z, .zip) or use a file content signature to identify known encryption tools.
Scenario: User-Initiated File Sharing via SharePoint
Description: A user shares a file via Microsoft SharePoint that contains encrypted content, which may be flagged by Safe Attachments during content scanning.
Filter/Exclusion: Exclude files uploaded from internal SharePoint sites or use a file type filter to exclude known encrypted file formats.
Scenario: System Log File with Base64 Encoded Data
Description: A system log file (e.g.,