Adversaries may use known malicious email addresses to exfiltrate data or deploy malware by sending malicious files to internal systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data compromise early.
KQL Query
//Get prevalence of files sent by a malicious sender in your organization
EmailAttachmentInfo
| where SenderFromAddress =~ "[email protected]"
| where isnotempty(SHA256)
| join (
DeviceFileEvents
| project FileName, SHA256
) on SHA256
id: 43625c12-5712-44df-8741-c334746aeccc
name: files-from-malicious-sender
description: |
This query checks devices for the presence of files that have been sent by a known malicious sender. To use this query, replace the email address with the address of the known malicious sender.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailAttachmentInfo
- DeviceFileEvents
tactics:
- Initial access
query: |
//Get prevalence of files sent by a malicious sender in your organization
EmailAttachmentInfo
| where SenderFromAddress =~ "[email protected]"
| where isnotempty(SHA256)
| join (
DeviceFileEvents
| project FileName, SHA256
) on SHA256
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
EmailAttachmentInfo | Ensure this data connector is enabled |
Scenario: System Backup Email from Internal Admin
Description: An internal system administrator sends a backup file to a team member using their corporate email address.
Filter/Exclusion: Exclude emails sent from internal admin accounts (e.g., [email protected]) or use a filter like sender_email contains "[email protected]".
Scenario: Scheduled Job Exporting Data to a Shared Folder
Description: A scheduled job runs daily and exports data to a shared folder, sending a file via email to a team distribution list.
Filter/Exclusion: Exclude emails sent to distribution lists (e.g., [email protected]) or use a filter like recipient_email contains "[email protected]".
Scenario: File Transfer via Email for Collaboration
Description: A team member sends a file via email to a colleague for collaboration, using a legitimate corporate email address.
Filter/Exclusion: Exclude emails sent between internal users (e.g., [email protected] to [email protected]) using a filter like sender_email contains "[email protected]" and recipient_email contains "[email protected]".
Scenario: Automated Report Generation and Email Distribution
Description: An automated report generation tool sends daily reports to a group of analysts via email.
Filter/Exclusion: Exclude emails sent from known reporting tools (e.g., [email protected]) using a filter like sender_email contains "[email protected]".
Scenario: File Sharing via Email Using a Third-Party Tool
Description: A third-party file sharing tool (e.g., Box, Dropbox) sends a file via email to a user, using a service email address.
Filter/Exclusion: Exclude emails sent from third-party service accounts (e.g., `box