Zero-day Malware Detections Trend

Hunt Hypothesis

Adversaries may be leveraging zero-day malware to evade traditional detection controls, as indicated by the increasing trend in unique malware detections. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential zero-day attacks before they cause widespread damage.

KQL Query

let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
let baseQuery = EmailEvents
| where Timestamp >= TimeStart
| where DetectionMethods has "Malware";
let fd=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
| where Malware has 'File detonation' and Malware !has 'File detonation reputation'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
| extend Details = "File detonation";
let ud=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
| where Malware has 'URL detonation' and Malware !has 'URL detonation reputation'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
| extend Details = "URL detonation";
union fd,ud
| project Count, Details, Timestamp
| render timechart

Analytic Rule Definition

id: 63941b4c-4995-442b-97b0-ff640efd46c8
name: Zero-day Malware Detections Trend
description: |
  This query visualises total emails with Malware detections over time summarizing the data daily by Malware detection technologies/controls used for detecting unknown-unique malware.
description-detailed: |
  This query visualises total emails with Malware detections over time summarizing the data daily by Malware detection technologies/controls used for detecting unknown-unique malware by URL or Attachment Detonation
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  let TimeStart = startofday(ago(30d));
  let TimeEnd = startofday(now());
  let baseQuery = EmailEvents
  | where Timestamp >= TimeStart
  | where DetectionMethods has "Malware";
  let fd=baseQuery
  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
  | where Malware has 'File detonation' and Malware !has 'File detonation reputation'
  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
  | extend Details = "File detonation";
  let ud=baseQuery
  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
  | where Malware has 'URL detonation' and Malware !has 'URL detonation reputation'
  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
  | extend Details = "URL detonation";
  union fd,ud
  | project Count, Details, Timestamp
  | render timechart
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`EmailEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Malware/Zero-day Malware Detections Trend.yaml)

False Positive Guidance

Scenario: Scheduled System Scan with Antivirus Tool
Description: A daily scheduled scan using Microsoft Defender or ClamAV detects benign files as potential malware due to signature mismatches or false positives.
Filter/Exclusion: Exclude events where the detection is triggered by a known scheduled scan task (e.g., taskname = "Microsoft Defender Scan" or processname = "clamscan").
Scenario: Email Security Gateway Performing False Positive Detection
Description: The Cisco Secure Email Gateway (SEG) or Microsoft Exchange Online Protection (EOP) flags legitimate emails as containing zero-day malware due to heuristic analysis.
Filter/Exclusion: Exclude emails where the sender is a known internal or trusted external domain (e.g., fromdomain = "example.com" or fromdomain = "trusted-email-provider.com").
Scenario: Admin Task for Patching or System Update
Description: An admin task using Windows Update or Ansible triggers a malware detection due to temporary file changes or system state alterations.
Filter/Exclusion: Exclude events where the process is associated with an admin task (e.g., processname = "wuauclt.exe" or processname = "ansible-playbook").
Scenario: Legitimate Malware Analysis Lab Activity
Description: A security team uses Cuckoo Sandbox or Joe Sandbox to analyze suspicious files, which may trigger false positives in the detection system.
Filter/Exclusion: Exclude events where the source IP is from a known internal analysis lab (e.g., sourceip = "10.0.0.100" or sourceip = "192.168.1.50").
Scenario: False Positive from Signature-Based Detection
Description: