Adversaries may be leveraging malware to bypass detection technologies, indicating potential evasion tactics. SOC teams should proactively hunt for this behavior to identify and mitigate advanced threats that evade traditional malware detection controls in Azure Sentinel.
KQL Query
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
let baseQuery = EmailEvents
| where Timestamp >= TimeStart
| where DetectionMethods has "Malware";
let av=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Malware has 'Antimalware engine'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Antimalware engine";
let fd=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Malware has 'File detonation' and Malware !has 'File detonation reputation'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "File detonation";
let fdr=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Malware has 'File detonation reputation'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "File detonation reputation";
let ud=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Malware has 'URL detonation' and Malware !has 'URL detonation reputation'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "URL detonation";
let udr=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Malware has 'URL detonation reputation'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "URL detonation reputation";
let umr=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Malware has 'URL malicious reputation'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "URL malicious reputation";
union av,fd,fdr,ud,udr,umr
| project Count, Details, Timestamp
| render timechart
id: 14f54d33-81dd-4316-a617-2262cac86f37
name: Malware Detections by Detection technology Trend
description: |
This query visualises total emails with Malware detections over time summarizing the data daily by various Malware detection technologies/controls.
description-detailed: |
This query visualises total emails with Malware detections over time summarizing the data daily by various Malware detection technologies/controls in Microsoft Defender for Office 365.
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
let baseQuery = EmailEvents
| where Timestamp >= TimeStart
| where DetectionMethods has "Malware";
let av=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Malware has 'Antimalware engine'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Antimalware engine";
let fd=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Malware has 'File detonation' and Malware !has 'File detonation reputation'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "File detonation";
let fdr=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Malware has 'File detonation reputation'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "File detonation reputation";
let ud=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Malware has 'URL detonation' and Malware !has 'URL detonation reputation'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "URL detonation";
let udr=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Malware has 'URL detonation reputation'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "URL detonation reputation";
let umr=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Malware has 'URL malicious reputation'
| make-series Count= count() default = 0 on Timest| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: A scheduled job for automated software updates triggers a malware detection due to a legitimate payload being scanned by the antivirus engine.
Filter/Exclusion: Exclude events where the source is a known update server (e.g., source_ip = 192.168.1.100 or source = "Windows Update").
Scenario: An administrator runs a malware scan on a test machine to validate detection rules, resulting in a false positive.
Filter/Exclusion: Exclude events where the user is a known admin (e.g., user = "admin_user" or user = "root") and the action is a scheduled scan (e.g., event_type = "scheduled_scan").
Scenario: A legitimate system process, such as svchost.exe, is flagged by the Trend Micro detection engine during routine scanning.
Filter/Exclusion: Exclude events where the process name is svchost.exe or explorer.exe and the detection is from Trend Micro.
Scenario: A legitimate email with an attached software patch is scanned by the email security gateway, triggering a malware detection due to a false positive in the signature database.
Filter/Exclusion: Exclude emails where the sender is a known internal distribution list (e.g., sender = "[email protected]") or the attachment is a known patch file (e.g., file_name = "patch_*.exe").
Scenario: A user downloads a legitimate software installer from a trusted website, which is mistakenly flagged by the detection technology as malware.
Filter/Exclusion: Exclude events where the URL is from a known trusted source (e.g., url = "https://download.microsoft.com/") or the file hash matches a known legitimate installer.