Adversaries may use a malicious domain to host an Excel file that, when downloaded, leads users to a phishing page or installs malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage BazaCall campaign activity before users are compromised.
KQL Query
DeviceNetworkEvents
| where RemoteUrl matches regex @".{14}\.xyz/config\.php"
id: 1dd47f50-d42d-4e2f-9c2b-6e6c22147916
name: Excel file download domain pattern
description: |
BazaCall is a campaign that manipulate users into calling a customer support center, where they are instructed to download an Excel file to unsubscribe from a phony service. When the user opens the Excel file, they are prompted to enable a malicious macro that infects their device with BazaLoader.
This query surfaces connections to the distinctive .xyz domains that the BazaCall campaign uses to host malicious Excel files.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics:
- Initial access
query: |
DeviceNetworkEvents
| where RemoteUrl matches regex @".{14}\.xyz/config\.php"
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job Exporting Data to Excel
Description: A system administrator schedules a daily job using PowerShell or Task Scheduler to export user data to an Excel file for reporting purposes.
Filter/Exclusion: Check for the presence of known export scripts or scheduled tasks associated with PowerShell or Task Scheduler. Exclude files generated by Power BI, Excel Services, or SQL Server Integration Services (SSIS).
Scenario: Admin Task to Generate Compliance Reports
Description: An IT administrator uses Microsoft Excel or Excel Online to generate compliance reports, which are then downloaded from a company-controlled domain.
Filter/Exclusion: Filter for files generated by Excel or Excel Online and exclude downloads from internal domains like intranet.example.com or internal.example.com.
Scenario: User-Initiated File Download for Data Analysis
Description: A data analyst uses Python (pandas) or R to download and analyze an Excel file from a legitimate internal server for business intelligence.
Filter/Exclusion: Exclude files downloaded from internal servers or those generated by pandas, R, or Power BI. Check for the presence of .xlsx files with known internal file paths.
Scenario: Automated Backup Process Including Excel Files
Description: A backup process using Veeam, Acronis, or rsync includes Excel files as part of a standard data backup, which are then downloaded from a backup server.
Filter/Exclusion: Exclude files associated with backup tools like Veeam or Acronis, and filter for known backup directories or file types.
Scenario: User-Generated Excel File for Internal Sharing
Description: A team member creates an Excel file using **Microsoft