Adversaries may be using compromised user accounts to distribute malware by targeting specific recipients with malicious email attachments. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data exfiltration attempts early.
KQL Query
EmailEvents
| where ThreatTypes has "Malware" and EmailDirection == "Inbound"
| summarize count() by RecipientEmailAddress
| sort by count_
| top 15 by count_
//| render columnchart // Uncomment to display as a column graph
//| render piechart // Uncomment to display as a piechart
id: 1c423f0d-57d6-41dc-869f-79899a2dae77
name: Top Users receiving Malware
description: |
This query visualises total inbound emails with Malware detections summarizing the data by the top recipient email address (RecipientEmailAddress)
description-detailed: |
This query visualises total inbound emails with Malware detections summarizing the data by the top recipient email address (RecipientEmailAddress)
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where ThreatTypes has "Malware" and EmailDirection == "Inbound"
| summarize count() by RecipientEmailAddress
| sort by count_
| top 15 by count_
//| render columnchart // Uncomment to display as a column graph
//| render piechart // Uncomment to display as a piechart
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: A system administrator receives a large number of legitimate system alerts via email from a monitoring tool like Splunk or Datadog.
Filter/Exclusion: Exclude emails from known admin tools or internal monitoring services using the RecipientEmailAddress field, e.g., RecipientEmailAddress NOT IN ('[email protected]', '[email protected]').
Scenario: A scheduled job runs daily and sends a report to a user via email, such as PowerShell or Python scripts that generate reports and send them via SMTP.
Filter/Exclusion: Exclude emails sent from known job execution accounts, e.g., RecipientEmailAddress NOT LIKE '%[email protected]%'.
Scenario: A user receives a high volume of emails from a third-party service like Google Workspace or Microsoft 365 that includes malware detection alerts or security updates.
Filter/Exclusion: Exclude emails from known security service domains, e.g., RecipientEmailAddress NOT LIKE '%@google.com%' OR RecipientEmailAddress NOT LIKE '%@microsoft.com%'.
Scenario: A user is part of a security team and receives regular phishing simulation emails from a tool like MockPhish or PhishMe for training purposes.
Filter/Exclusion: Exclude emails from known security training domains, e.g., RecipientEmailAddress NOT LIKE '%@mockphish.com%' OR RecipientEmailAddress NOT LIKE '%@phishme.com%'.
Scenario: A user receives a high volume of emails from a cloud backup service like Veeam or Commvault that includes malware detection notifications.
Filter/Exclusion: Exclude emails from known backup service domains, e.g., RecipientEmailAddress NOT LIKE '%@veeam.com%' OR RecipientEmailAddress NOT LIKE '%@commvault.com%'.