Adversaries may use quarantine release actions to exfiltrate data or re-infect systems by reactivating malicious payloads that were previously isolated. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or persistence tactics leveraging quarantine bypass techniques.
KQL Query
let totalQuery = EmailPostDeliveryEvents
| where Action == "Quarantine release"
| join kind=inner (EmailEvents | where DeliveryLocation == "Quarantine") on NetworkMessageId
| extend MDO_detection = parse_json(DetectionMethods1)
| extend FirstDetection = iif(isempty(MDO_detection), "Clean", tostring(bag_keys(MDO_detection)[0]))
| extend FirstSubcategory = iif(FirstDetection != "Clean" and array_length(MDO_detection[FirstDetection]) > 0, strcat(FirstDetection, ": ", tostring(MDO_detection[FirstDetection][0])), "No Detection (clean)")
| where FirstSubcategory contains "Malware" or FirstSubcategory contains "Phish" or FirstSubcategory contains "Spam"
| count;
EmailPostDeliveryEvents
| where Action == "Quarantine release"
| join kind=inner (EmailEvents | where DeliveryLocation == "Quarantine") on NetworkMessageId
| extend MDO_detection = parse_json(DetectionMethods1)
| extend FirstDetection = iif(isempty(MDO_detection), "Clean", tostring(bag_keys(MDO_detection)[0]))
| extend FirstSubcategory = iif(FirstDetection != "Clean" and array_length(MDO_detection[FirstDetection]) > 0, strcat(FirstDetection, ": ", tostring(MDO_detection[FirstDetection][0])), "No Detection (clean)")
| where FirstSubcategory contains "Malware" or FirstSubcategory contains "Phish" or FirstSubcategory contains "Spam"
| summarize count_messages = count() by FirstSubcategory
| project FirstSubcategory, count_messages
| order by count_messages desc
| render piechart
id: 87754d3a-0077-4ff9-b46e-6336b8d02287
name: Quarantine releases by Detection Types
description: |
This query visualises emails released from quarantine and summarizing the result by the original filter verdict
description-detailed: |
This query visualises emails released from quarantine and summarizing the result by the original filter verdict
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailPostDeliveryEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let totalQuery = EmailPostDeliveryEvents
| where Action == "Quarantine release"
| join kind=inner (EmailEvents | where DeliveryLocation == "Quarantine") on NetworkMessageId
| extend MDO_detection = parse_json(DetectionMethods1)
| extend FirstDetection = iif(isempty(MDO_detection), "Clean", tostring(bag_keys(MDO_detection)[0]))
| extend FirstSubcategory = iif(FirstDetection != "Clean" and array_length(MDO_detection[FirstDetection]) > 0, strcat(FirstDetection, ": ", tostring(MDO_detection[FirstDetection][0])), "No Detection (clean)")
| where FirstSubcategory contains "Malware" or FirstSubcategory contains "Phish" or FirstSubcategory contains "Spam"
| count;
EmailPostDeliveryEvents
| where Action == "Quarantine release"
| join kind=inner (EmailEvents | where DeliveryLocation == "Quarantine") on NetworkMessageId
| extend MDO_detection = parse_json(DetectionMethods1)
| extend FirstDetection = iif(isempty(MDO_detection), "Clean", tostring(bag_keys(MDO_detection)[0]))
| extend FirstSubcategory = iif(FirstDetection != "Clean" and array_length(MDO_detection[FirstDetection]) > 0, strcat(FirstDetection, ": ", tostring(MDO_detection[FirstDetection][0])), "No Detection (clean)")
| where FirstSubcategory contains "Malware" or FirstSubcategory contains "Phish" or FirstSubcategory contains "Spam"
| summarize count_messages = count() by FirstSubcategory
| project FirstSubcategory, count_messages
| order by count_messages desc
| render piechart
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: A system administrator manually releases emails from quarantine using the Microsoft Defender for Office 365 (MDO) portal as part of a routine review.
Filter/Exclusion: Exclude emails released via the MDO portal by checking the source field for “Portal” or “Admin Console”.
Scenario: A scheduled job runs to automatically release emails from quarantine based on a predefined list of sender domains or users.
Filter/Exclusion: Exclude emails released by scheduled jobs using a job_id or task_name field that identifies automated release processes.
Scenario: An IT helpdesk technician releases a quarantined email to a user who reported a false positive, using the Microsoft 365 admin center.
Filter/Exclusion: Exclude emails released via the admin center by checking the release_method field for “Admin Center” or “Helpdesk”.
Scenario: A third-party email archiving tool (e.g., Mimecast, Proofpoint) integrates with the email security gateway and occasionally releases emails from quarantine during data migration or backup processes.
Filter/Exclusion: Exclude emails released by external tools using a tool_name or integration_id field that identifies the archiving system.
Scenario: A security analyst manually reviews and releases quarantined emails using the Microsoft Graph API or PowerShell cmdlets for investigation purposes.
Filter/Exclusion: Exclude emails released via API or script by checking the release_method field for “API” or “PowerShell”.