Adversaries may be using known malware families to deliver payloads via email, leveraging T1566 techniques to compromise endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential email-based attacks before they lead to data exfiltration or system compromise.
KQL Query
EmailEvents
| where isnotempty(ThreatNames) and ThreatTypes has "Malware"
| summarize count() by ThreatNames
| project ThreatNames,Emails=count_
| sort by Emails
//| render piechart // Uncomment to display as a piechart
id: 43c7c926-0bd4-41a5-a959-753db79ae470
name: Top Malware Families
description: |
This query visualises total emails with Malware detections summarizing the data by ThreatNames of the malware detected.
description-detailed: |
This query visualises total emails with Malware detections summarizing the data by ThreatNames of the malware detected.
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where isnotempty(ThreatNames) and ThreatTypes has "Malware"
| summarize count() by ThreatNames
| project ThreatNames,Emails=count_
| sort by Emails
//| render piechart // Uncomment to display as a piechart
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using Microsoft Defender for Endpoint to perform a scheduled malware scan, which temporarily detects benign files as malware during a deep scan.
Filter/Exclusion: Exclude events where the source is Microsoft Defender for Endpoint and the action is a scheduled scan.
Scenario: A scheduled backup job using Veeam Backup & Replication is copying files from a server, and the backup tool is falsely flagged as a malware family due to its file signature.
Filter/Exclusion: Exclude events where the process name is VeeamBackup.exe or the job is associated with a known backup tool.
Scenario: A system update via Windows Update includes a file that matches a known malware signature, but it is actually a legitimate update file.
Filter/Exclusion: Exclude events where the file path contains C:\Windows\Update or the process is wuauclt.exe.
Scenario: A third-party security tool like CrowdStrike Falcon is running a threat detection scan, and its own components are mistakenly identified as a malware family.
Filter/Exclusion: Exclude events where the process name is falcon.exe or the threat name is associated with the CrowdStrike product.
Scenario: A network monitoring tool such as Wireshark is being used to capture and analyze network traffic, and its internal components are flagged as malware due to a false positive signature.
Filter/Exclusion: Exclude events where the process name is wireshark.exe or the file path contains Wireshark in the name.