Bazacall emails are used by adversaries to trick users into calling a malicious phone number to cancel a fake subscription, bypassing traditional email security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential financial fraud and data exfiltration attempts.
KQL Query
EmailEvents
| where Subject matches regex @"[A-Z]{1,3}\d{9,15}"
and Subject has_any('trial', 'free', 'demo', 'membership', 'premium', 'gold', 'notification', 'notice', 'claim', 'order', 'license', 'licenses')
id: 54f12c74-fb8e-4871-a13f-4da835b319a7
name: Bazacall Emails
description: |
Bazacall malware uses emails that contain a phone number for the user to call in order to cancel a fake subscription. These emails contain no links or attachments, and use automatic payment lures to trick users into contacting the number included in the email.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
query: |
EmailEvents
| where Subject matches regex @"[A-Z]{1,3}\d{9,15}"
and Subject has_any('trial', 'free', 'demo', 'membership', 'premium', 'gold', 'notification', 'notice', 'claim', 'order', 'license', 'licenses')
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Internal System Maintenance Notification
Description: A legitimate system maintenance email sent by IT administrators includes a phone number for users to call for more information.
Filter/Exclusion: Exclude emails sent from internal IT email addresses (e.g., [email protected]) or those marked as internal communications in the email headers.
Scenario: Scheduled Job Notification via Email
Description: A scheduled job (e.g., using cron or Windows Task Scheduler) generates an email notification with a phone number for support contact.
Filter/Exclusion: Exclude emails with the X-Scheduled-Task header or those originating from known job scheduling tools (e.g., cron, Task Scheduler, Airflow).
Scenario: User Support Contact Information in Help Desk Emails
Description: Help desk emails include a phone number for user support, as part of standard contact information.
Filter/Exclusion: Exclude emails sent from help desk email domains (e.g., [email protected]) or those containing standard support contact details in the body.
Scenario: Automated Phone Number Verification for User Onboarding
Description: A user onboarding process sends an email with a phone number for verification purposes, as part of account setup.
Filter/Exclusion: Exclude emails containing the phrase “Verify your phone number” or those sent during user onboarding workflows (e.g., via Salesforce, Zendesk, or HubSpot).
Scenario: Admin Task Completion Notification with Contact Info
Description: An admin task (e.g., using PowerShell, Ansible, or Puppet) completes and sends an email with a phone number for follow-up.
Filter/Exclusion: Exclude emails with the X-Admin-Task header or those sent from admin-specific email addresses