Adversaries may use unmanaged devices to access and execute malware embedded in emails, leveraging these devices to bypass traditional endpoint protections. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement and exfiltration attempts from unmanaged devices.
KQL Query
EmailPostDeliveryEvents
| where ActionType == "Malware ZAP"
| project NetworkMessageId,InternetMessageId,ActionType,ThreatTypes,DetectionMethods,ZAPReportId=ReportId,ZAPTimestamp=Timestamp
| join (CloudAppEvents | where ActionType == "MailItemsAccessed"
| extend RawEvent=parse_json(RawEventData)
| mv-expand RawEvent.Folders
| mv-expand RawEvent_Folders.FolderItems
| project SessionId=tostring(RawEvent.SessionId),InternetMessageId=tostring(parse_json(RawEvent_Folders_FolderItems).InternetMessageId),ActionTimestamp=Timestamp,ActionReportId=ReportId
) on InternetMessageId
| where isnotempty(SessionId)
| join (AADSignInEventsBeta | where isempty(DeviceName) | distinct AccountUpn,SessionId) on SessionId
| project AccountUpn,NetworkMessageId,InternetMessageId,ActionType,ThreatTypes,DetectionMethods,SessionId,ReportId=ActionReportId,Timestamp=ActionTimestamp
id: 439f817c-845c-4dda-a8d9-5c1f6831cee9
name: Email containing malware accessed on a unmanaged device
description: |
In this query, we are looking for emails containing malware accessed on a unmanaged device
description-detailed: |
In this query, we are looking for emails containing malware accessed on a unmanaged device by MDE. The query using multiple data sources across Defender XDR including Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailPostDeliveryEvents
- CloudAppEvents
- AADSignInEventsBeta
tactics:
- Execution
relevantTechniques:
- T1204
query: |
EmailPostDeliveryEvents
| where ActionType == "Malware ZAP"
| project NetworkMessageId,InternetMessageId,ActionType,ThreatTypes,DetectionMethods,ZAPReportId=ReportId,ZAPTimestamp=Timestamp
| join (CloudAppEvents | where ActionType == "MailItemsAccessed"
| extend RawEvent=parse_json(RawEventData)
| mv-expand RawEvent.Folders
| mv-expand RawEvent_Folders.FolderItems
| project SessionId=tostring(RawEvent.SessionId),InternetMessageId=tostring(parse_json(RawEvent_Folders_FolderItems).InternetMessageId),ActionTimestamp=Timestamp,ActionReportId=ReportId
) on InternetMessageId
| where isnotempty(SessionId)
| join (AADSignInEventsBeta | where isempty(DeviceName) | distinct AccountUpn,SessionId) on SessionId
| project AccountUpn,NetworkMessageId,InternetMessageId,ActionType,ThreatTypes,DetectionMethods,SessionId,ReportId=ActionReportId,Timestamp=ActionTimestamp
version: 1.0.0| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Job Using a Third-Party Tool
Description: A scheduled backup job using a tool like Veeam or Commvault may include scripts or attachments that are flagged as potential malware.
Filter/Exclusion: Exclude emails sent from known backup systems or include a filter for sender_email = "[email protected]" and check for subject contains "Backup Job".
Scenario: Admin Task to Deploy a Patch via Email
Description: An administrator may send an email with a patch file (e.g., from Microsoft Update or WSUS) to a group of users, which could be flagged as a potential malware attachment.
Filter/Exclusion: Exclude emails sent from admin accounts (e.g., sender_email contains "admin"), or include a filter for subject contains "Patch Deployment" and attachment_name contains "update".
Scenario: User Accessing a Shared File via Email with a Script
Description: A user may receive an email with a script (e.g., a PowerShell or Python script) that is used to access a shared file on a unmanaged device, such as a personal laptop.
Filter/Exclusion: Exclude emails containing known safe scripts (e.g., attachment_name contains "script_v1.0.ps1"), or filter by sender_email in ["[email protected]"].
Scenario: Email with a Legitimate Executable for a Business Tool
Description: A user may receive an email with an executable (e.g., from Dell SupportAssist or LogMeIn) that is used to manage a device, which could be flagged as malware.
Filter/Exclusion: Exclude emails from known vendor domains (e.g., sender_email contains "[email protected]"),