Adversaries may be using recently published Maalware Baazar hashes to deliver malicious payloads through email, leveraging compromised or phishing campaigns. Proactively hunting for these hashes in mail flow helps identify potential malware distribution channels before they cause widespread damage.
KQL Query
let abuse_sha256 = (externaldata(sha256_hash: string )
[@"https://bazaar.abuse.ch/export/txt/sha256/recent/"]
with (format="txt"))
| where sha256_hash !startswith "#"
| project sha256_hash;
abuse_sha256
| join (EmailAttachmentInfo
| where Timestamp > ago(1d)
) on $left.sha256_hash == $right.SHA256
| project Timestamp,SenderFromAddress ,RecipientEmailAddress,FileName,FileType,SHA256,ThreatTypes,DetectionMethods
id: 3dfabb54-3553-47cf-b734-5327e9133874
name: Check for Maalware Baazar (abuse.ch) hashes in your mail flow
description: |
Check if file hashes published in the recent abuse.ch feed are found in your mail flow scanned by Office 365 ATP.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailAttachmentInfo
tactics:
- Initial access
- Malware, component
query: |
let abuse_sha256 = (externaldata(sha256_hash: string )
[@"https://bazaar.abuse.ch/export/txt/sha256/recent/"]
with (format="txt"))
| where sha256_hash !startswith "#"
| project sha256_hash;
abuse_sha256
| join (EmailAttachmentInfo
| where Timestamp > ago(1d)
) on $left.sha256_hash == $right.SHA256
| project Timestamp,SenderFromAddress ,RecipientEmailAddress,FileName,FileType,SHA256,ThreatTypes,DetectionMethods
| Sentinel Table | Notes |
|---|---|
EmailAttachmentInfo | Ensure this data connector is enabled |
Scenario: A legitimate software update from a trusted vendor includes a file hash that coincidentally matches a hash in the abuse.ch feed.
Filter/Exclusion: Exclude hashes from known trusted vendors (e.g., Microsoft, Adobe, Cisco) using a custom list in Office 365 ATP’s malware filter settings or by configuring a custom hash exclusion list in the Microsoft Defender for Office 365 admin center.
Scenario: A system administrator manually uploads a file with a known abuse.ch hash as part of a security test or incident response.
Filter/Exclusion: Use Microsoft Defender for Office 365’s safe attachments policy to whitelist specific file paths or users, or create a scheduled job to automatically exclude files from a known test directory using PowerShell or Exchange Online PowerShell.
Scenario: A user sends an email attachment that is a legitimate file (e.g., a PDF or document) that was previously flagged by abuse.ch due to a false positive.
Filter/Exclusion: Implement a custom hash exclusion list in Microsoft Defender for Office 365 to block false positives, or use Microsoft Graph API to programmatically update the exclusion list based on internal file hashes.
Scenario: A third-party service (e.g., a cloud backup provider) includes files with hashes that match those in the abuse.ch feed, but the files are benign.
Filter/Exclusion: Configure Microsoft Defender for Office 365 to exclude files from specific domains or IP ranges using IP and domain filtering, or set up a scheduled job using PowerShell to add these domains to the exclusion list.
Scenario: A file is scanned by Office 365 ATP and the hash is present in the abuse.ch feed, but the file is part of a legitimate internal software development