Adversaries may release malicious emails from quarantine to evade detection and reengage with targets. SOC teams should proactively hunt for this behavior to identify potential phishing campaigns and prevent further compromise.
KQL Query
CloudAppEvents
| where ActionType == "QuarantineReleaseMessage"
| project ReleaseTime = Timestamp, ResultStatus = RawEventData.ResultStatus, ActionType, ReleasedBy = tostring(RawEventData.UserId), NetworkMessageId = tostring(RawEventData.NetworkMessageId), ReleaseTo = RawEventData.ReleaseTo
| join kind=inner (
EmailEvents
| project-rename EmailTime = Timestamp
) on NetworkMessageId
| project-away NetworkMessageId1
| order by ReleaseTime asc
id: 6f96f6d7-d972-421e-a59f-6b9a8de81324
name: Quarantine Release Email Details
description: |
This query shows information about email that has been released from the Quarantine in Defender for Office 365.
description-detailed: |
This query shows information about email that has been released from the Quarantine in Defender for Office 365. The details include the time each email was released and who it was released by.
Reference - https://learn.microsoft.com/en-us/defender-office-365/quarantine-admin-manage-messages-files
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "QuarantineReleaseMessage"
| project ReleaseTime = Timestamp, ResultStatus = RawEventData.ResultStatus, ActionType, ReleasedBy = tostring(RawEventData.UserId), NetworkMessageId = tostring(RawEventData.NetworkMessageId), ReleaseTo = RawEventData.ReleaseTo
| join kind=inner (
EmailEvents
| project-rename EmailTime = Timestamp
) on NetworkMessageId
| project-away NetworkMessageId1
| order by ReleaseTime asc
version: 1.0.0 | Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
EmailEvents | Ensure this data connector is enabled |
Scenario: Admin releases a quarantined email as part of a routine compliance review
Filter/Exclusion: Check for the presence of the admin’s email address in the initiator_email field or use a filter for initiator_role = 'Admin'.
Scenario: Scheduled job runs to release quarantined emails for a specific user or group
Filter/Exclusion: Use a filter for initiator_email = '[email protected]' or check for job_name in the initiator_details field.
Scenario: A user manually releases their own quarantined email due to a phishing attempt
Filter/Exclusion: Filter by initiator_email = '[email protected]' and check for action = 'release' with a note in the email subject or body indicating it was a false positive.
Scenario: A security tool or SIEM system automatically releases quarantined emails during a test or simulation
Filter/Exclusion: Use a filter for initiator_tool = 'SIEM Simulator' or check for a specific initiator_application field value indicating a test environment.
Scenario: An email is released from quarantine after a false positive report from a third-party email security provider
Filter/Exclusion: Filter by initiator_service = 'ThirdPartyProvider' or check for a specific initiator_id associated with the third-party tool.