A malicious insider may be exfiltrating sensitive data by creating and emailing compressed archives to a competitor. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data breaches and insider threats early.
KQL Query
EmailEvents
| where RecipientEmailAddress contains "competitor"
and AttachmentCount >=1
| join (
EmailAttachmentInfo
//| where isnotempty(SHA256)
)on NetworkMessageId
| join (
DeviceFileEvents
| where InitiatingProcessFileName in ("7z.exe", "7zG.exe", "AxCrypt.exe", "BitLocker.exe", "Diskcryptor.exe", "GNUPrivacyGuard.exe", "GPG4Win.exe", "PeaZip.exe", "VeraCrypt.exe", "WinRAR.exe", "WinZip.exe")
| project FileName, SHA256
) on FileName
id: 8baad907-3b15-4f26-be09-dbba3d32fc3f
name: detect-archive-exfiltration-to-competitor
description: |
This query can be used to detect instances of a malicious insider creating a file archive and then emailing that archive to an external "competitor" organization.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailAttachmentInfo
- DeviceFileEvents
tactics:
- Exfiltration
query: |
EmailEvents
| where RecipientEmailAddress contains "competitor"
and AttachmentCount >=1
| join (
EmailAttachmentInfo
//| where isnotempty(SHA256)
)on NetworkMessageId
| join (
DeviceFileEvents
| where InitiatingProcessFileName in ("7z.exe", "7zG.exe", "AxCrypt.exe", "BitLocker.exe", "Diskcryptor.exe", "GNUPrivacyGuard.exe", "GPG4Win.exe", "PeaZip.exe", "VeraCrypt.exe", "WinRAR.exe", "WinZip.exe")
| project FileName, SHA256
) on FileName
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
EmailAttachmentInfo | Ensure this data connector is enabled |
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled Backup Job Creating Archive
Description: A legitimate scheduled backup job (e.g., using Veeam, Commvault, or Acronis) creates an archive of production data as part of routine operations.
Filter/Exclusion: Check for known backup tools or scheduled tasks with timestamps matching backup windows. Use process.parent_process or process.command_line to identify backup software.
Scenario: Admin Performing System Audit
Description: A system administrator uses PowerShell or rsync to archive logs or configuration files for audit purposes and sends the archive to an internal or external email address.
Filter/Exclusion: Filter by user (e.g., user.name = "admin") or check for known administrative tools in the command line. Use process.name to identify PowerShell or rsync processes.
Scenario: Emailing Archive to External Partner
Description: A legitimate business process involves sending an archive (e.g., ZIP, RAR) to an external partner or vendor via Microsoft Outlook or SendGrid.
Filter/Exclusion: Use destination_ip or email.to to filter known external partner domains. Check for email.subject or email.body containing business-related terms.
Scenario: Automated Compliance Reporting
Description: A compliance tool (e.g., Splunk, LogRhythm) generates a report, archives it, and emails it to a compliance officer or external auditor.
Filter/Exclusion: Filter by process name or user associated with the compliance tool. Use process.name to identify Splunk or LogRhythm processes.
Scenario: User Archiving Files for Collaboration
Description: A user archives files (e.g., using 7-Zip, WinRAR) and shares the archive via email