Adversaries may be using Zerohour auto purge to obfuscate command and control communications by embedding malicious URLs in emails that are clicked and purged quickly. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential exfiltration or C2 activity that evades traditional detection methods.
KQL Query
AlertInfo
| where Title contains "Email messages containing malicious URL removed after delivery" and Timestamp > ago (7d)
| join kind=inner (AlertEvidence| where EntityType == "MailMessage") on AlertId
| join UrlClickEvents on NetworkMessageId
id: efe27064-6d35-4720-b7f5-e0326695613d
name: URL click on ZAP email
description: |
In this query, we are looking for Url clicks on emails which get actioned by Zerohour auto purge
description-detailed: |
In this query, we are looking for Url clicks on emails which get actioned by Zerohour auto purge (ZAP) in Defender for Office 365.
Reference - https://learn.microsoft.com/en-us/defender-office-365/zero-hour-auto-purge
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- UrlClickEvents
- Alertinfo
- AlertEvidence
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
AlertInfo
| where Title contains "Email messages containing malicious URL removed after delivery" and Timestamp > ago (7d)
| join kind=inner (AlertEvidence| where EntityType == "MailMessage") on AlertId
| join UrlClickEvents on NetworkMessageId
version: 1.0.0 | Sentinel Table | Notes |
|---|---|
AlertEvidence | Ensure this data connector is enabled |
UrlClickEvents | Ensure this data connector is enabled |
Scenario: A system administrator clicks on a URL in an internal email to access a documentation portal (e.g., Confluence or SharePoint) to troubleshoot an issue.
Filter/Exclusion: Exclude URLs that match internal documentation domains (e.g., *.confluence.example.com, *.sharepoint.example.com) or use a filter like url contains "internal-docs".
Scenario: A scheduled job (e.g., Jenkins CI/CD pipeline) sends an email notification with a URL to a secure artifact repository (e.g., Nexus or Artifactory) and the job automatically clicks the link to fetch a dependency.
Filter/Exclusion: Exclude URLs that match known CI/CD artifact repositories or use a filter like url contains "nexus.example.com" or url contains "artifactory.example.com".
Scenario: An email from the IT helpdesk includes a link to a password reset portal (e.g., Okta or Microsoft Azure AD) and an employee clicks the link to reset their password.
Filter/Exclusion: Exclude URLs that match known identity management portals (e.g., *.okta.com, *.azure.com) or use a filter like url contains "password-reset".
Scenario: A user receives an email from the company’s internal ticketing system (e.g., Jira or ServiceNow) with a link to a support article, and clicks the link to access the resource.
Filter/Exclusion: Exclude URLs that match internal ticketing system domains (e.g., *.jira.example.com, *.servicenow.example.com) or use a filter like url contains "support-article".
Scenario: A system administrator clicks on a URL in an email sent by the Zerohour auto purge tool itself, which contains a link to a configuration page or documentation.
**Filter/Exclusion