Adversaries may be using malware-laced emails to compromise endpoints, leveraging T1566 to deliver malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential phishing campaigns before they lead to data exfiltration or system compromise.
KQL Query
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
EmailEvents
| where Timestamp >= TimeStart
| where ThreatTypes has "Malware"
| make-series MalwareDetections = count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| render timechart
id: 0e4fd08d-0c0d-41c6-847d-1674e30a9e31
name: Malware Detections Trend
description: |
This query visualises total emails with Malware detections over time summarizing the data daily.
description-detailed: |
This query visualises total emails with Malware detections over time summarizing the data daily.
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
EmailEvents
| where Timestamp >= TimeStart
| where ThreatTypes has "Malware"
| make-series MalwareDetections = count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| render timechart
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: A system administrator uses Microsoft Defender for Endpoint to perform a scheduled malware scan during off-hours, which temporarily increases the number of malware detections.
Filter/Exclusion: Exclude events where the source is a known security tool (e.g., ProcessName = "MsMpEng.exe" or ProcessName = "Windows Defender").
Scenario: A scheduled backup job using Veeam Backup & Replication transfers large files that are flagged as potential malware due to their size or content.
Filter/Exclusion: Exclude events where the file path matches known backup directories (e.g., Filepath LIKE '%VeeamBackup%' or Filepath LIKE '%Backup%').
Scenario: An IT admin manually quarantines a file using Microsoft Endpoint Protection as part of a routine security review, which triggers a malware detection alert.
Filter/Exclusion: Exclude events where the action is a manual quarantine or where the user is a known admin (e.g., User = "ITAdmin", User = "Domain Admins").
Scenario: A third-party software update (e.g., Adobe Acrobat Reader) is deployed using Microsoft Intune, and the update package is temporarily flagged as suspicious by the email security gateway.
Filter/Exclusion: Exclude events where the sender is a known internal or trusted external domain (e.g., SenderDomain = "adobe.com" or SenderDomain = "microsoft.com").
Scenario: A system update or patch deployment via Windows Server Update Services (WSUS) includes files that are incorrectly flagged as malware by the email security system.
Filter/Exclusion: Exclude events where the file is part of a known update or patch (e.g., FileHash IN ('known WSUS hash values') or `File