The hypothesis is that an adversary is attempting to deliver and execute malicious software by leveraging a phishing email, followed by a download and bypassing SmartScreen warnings to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware delivery chains early and prevent lateral movement or data exfiltration.
KQL Query
let smartscreenAppWarnings =
// Query for SmartScreen warnings of unknown executed applications
DeviceEvents
| where ActionType == "SmartScreenAppWarning"
| project WarnTime=Timestamp, DeviceName, WarnedFileName=FileName, WarnedSHA1=SHA1, ActivityId=extractjson("$.ActivityId", AdditionalFields, typeof(string))
// Select only warnings that the user has decided to ignore and has executed the app.
| join kind=leftsemi (
DeviceEvents
| where ActionType == "SmartScreenUserOverride"
| project DeviceName, ActivityId=extractjson("$.ActivityId", AdditionalFields, typeof(string)))
on DeviceName, ActivityId
| project-away ActivityId;
// Query for links opened from outlook, that are close in time to a SmartScreen warning
let emailLinksNearSmartScreenWarnings =
DeviceEvents
| where ActionType == "BrowserLaunchedToOpenUrl" and isnotempty(RemoteUrl) and InitiatingProcessFileName =~ "outlook.exe"
| extend WasOutlookSafeLink=(tostring(parse_url(RemoteUrl).Host) endswith "safelinks.protection.outlook.com")
| project DeviceName, MailLinkTime=Timestamp,
MailLink=iff(WasOutlookSafeLink, url_decode(tostring(parse_url(RemoteUrl)["Query Parameters"]["url"])), RemoteUrl)
| join kind=inner smartscreenAppWarnings on DeviceName | where (WarnTime-MailLinkTime) between (0min..4min);
// Add the browser download event to tie in all the dots
DeviceFileEvents
| where isnotempty(FileOriginUrl) and InitiatingProcessFileName in~ ("chrome.exe", "browser_broker.exe")
| project FileName, FileOriginUrl, FileOriginReferrerUrl, DeviceName, Timestamp, SHA1
| join kind=inner emailLinksNearSmartScreenWarnings on DeviceName
| where (Timestamp-MailLinkTime) between (0min..3min) and (WarnTime-Timestamp) between (0min..1min)
| project FileName, MailLink, FileOriginUrl, FileOriginReferrerUrl, WarnedFileName, DeviceName, SHA1, WarnedSHA1, Timestamp
| distinct *
id: b29c75ca-a110-4c58-8d0b-6afac6d61078
name: Email link + download + SmartScreen warning
description: |
Look for links opened from outlook.exe, followed by a browser download and then a SmartScreen app warning that was ignored by the user.
Read more about these events and this hunting approach in this post: https://techcommunity.microsoft.com/t5/forums/editpage/board-id/WDATPActor/message-id/34.
Data availability: SmartScreen events are available only on Windows 10 version 1703 and onwards.
Tags: #EmailLink, #BrowserDownload, #SmartScreen.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
- DeviceFileEvents
query: |
let smartscreenAppWarnings =
// Query for SmartScreen warnings of unknown executed applications
DeviceEvents
| where ActionType == "SmartScreenAppWarning"
| project WarnTime=Timestamp, DeviceName, WarnedFileName=FileName, WarnedSHA1=SHA1, ActivityId=extractjson("$.ActivityId", AdditionalFields, typeof(string))
// Select only warnings that the user has decided to ignore and has executed the app.
| join kind=leftsemi (
DeviceEvents
| where ActionType == "SmartScreenUserOverride"
| project DeviceName, ActivityId=extractjson("$.ActivityId", AdditionalFields, typeof(string)))
on DeviceName, ActivityId
| project-away ActivityId;
// Query for links opened from outlook, that are close in time to a SmartScreen warning
let emailLinksNearSmartScreenWarnings =
DeviceEvents
| where ActionType == "BrowserLaunchedToOpenUrl" and isnotempty(RemoteUrl) and InitiatingProcessFileName =~ "outlook.exe"
| extend WasOutlookSafeLink=(tostring(parse_url(RemoteUrl).Host) endswith "safelinks.protection.outlook.com")
| project DeviceName, MailLinkTime=Timestamp,
MailLink=iff(WasOutlookSafeLink, url_decode(tostring(parse_url(RemoteUrl)["Query Parameters"]["url"])), RemoteUrl)
| join kind=inner smartscreenAppWarnings on DeviceName | where (WarnTime-MailLinkTime) between (0min..4min);
// Add the browser download event to tie in all the dots
DeviceFileEvents
| where isnotempty(FileOriginUrl) and InitiatingProcessFileName in~ ("chrome.exe", "browser_broker.exe")
| project FileName, FileOriginUrl, FileOriginReferrerUrl, DeviceName, Timestamp, SHA1
| join kind=inner emailLinksNearSmartScreenWarnings on DeviceName
| where (Timestamp-MailLinkTime) between (0min..3min) and (WarnTime-Timestamp) between (0min..1min)
| project FileName, MailLink, FileOriginUrl, FileOriginReferrerUrl, WarnedFileName, DeviceName, SHA1, WarnedSHA1, Timestamp
| distinct *
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: User opens a legitimate email link from Outlook, then downloads a software update via browser, and ignores SmartScreen warning
Filter/Exclusion: Exclude events where the download URL is from a known enterprise update server (e.g., *.update.microsoft.com, *.download.microsoft.com) and the SmartScreen warning is ignored by a user with admin privileges.
Scenario: System administrator performs a scheduled job that includes downloading a script from a trusted internal URL, then opens the link in Outlook and ignores SmartScreen
Filter/Exclusion: Exclude events where the email is from a known admin email address (e.g., [email protected]) and the download URL is from an internal repository (e.g., internal-repo.company.com).
Scenario: IT team uses a tool like Microsoft Endpoint Configuration Manager to deploy software, which involves opening a link in Outlook, downloading via browser, and ignoring SmartScreen
Filter/Exclusion: Exclude events where the email is associated with a known deployment tool (e.g., CMClient or ConfigMgr) and the download is from a trusted internal source.
Scenario: User receives a phishing email with a legitimate-looking link, opens it in Outlook, then downloads a file from a trusted site (e.g., Google Drive) and ignores SmartScreen
Filter/Exclusion: Exclude events where the download URL is from a known trusted domain (e.g., drive.google.com, onedrive.com) and the email is from a known phishing source (e.g., [email protected]).
Scenario: A developer uses Visual Studio Code to open a link from an email, then downloads a dependency via browser, and ignores SmartScreen
Filter/Exclusion: Exclude events where the email is from a known development team email address (e.g., `[email protected]