Emails with reply/forward subjects containing .doc or .zip attachments may indicate IcedId malware delivery, as these file types are commonly used to exploit vulnerabilities and execute malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential ransomware threats early.
KQL Query
// Identify a reply or forward via subject line
let SubjectTerms = pack_array("RE:","FW:","FWD:","AW:","WG:");
EmailEvents
| where Subject has_any(SubjectTerms)
| where EmailDirection == "Inbound" // Join on those emails by file type (doc or zip>doc)
| join EmailAttachmentInfo on $left.NetworkMessageId == $right.NetworkMessageId
| where AttachmentCount == 1
| where FileType has 'WordStorage' or FileType has 'WordStorage;Zip'
id: bdbbf32f-10a9-492b-a05c-e5987922f8fc
name: IcedId attachments
description: |
Use this query to locate emails with subject indicators of a reply or forward, and the attachment is a .doc, or a .zip containing a .doc. Review results for suspicious emails.
IcedId can lead to ransomware
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailAttachmentInfo
tactics:
- Ransomware
query: |
// Identify a reply or forward via subject line
let SubjectTerms = pack_array("RE:","FW:","FWD:","AW:","WG:");
EmailEvents
| where Subject has_any(SubjectTerms)
| where EmailDirection == "Inbound" // Join on those emails by file type (doc or zip>doc)
| join EmailAttachmentInfo on $left.NetworkMessageId == $right.NetworkMessageId
| where AttachmentCount == 1
| where FileType has 'WordStorage' or FileType has 'WordStorage;Zip'
| Sentinel Table | Notes |
|---|---|
EmailAttachmentInfo | Ensure this data connector is enabled |
EmailEvents | Ensure this data connector is enabled |
Scenario: Legitimate email with a .doc attachment as part of a document sharing process
Filter/Exclusion: attachment.filename: "*.doc" AND email.subject:*"Re:"* OR email.subject:*"Fwd:"*
Suggestion: Add a filter to exclude emails sent by known internal document sharing tools like Microsoft SharePoint or Google Drive, or emails from specific internal domains.
Scenario: Scheduled job exporting reports in .zip format containing .doc files
Filter/Exclusion: attachment.filename: "*.zip" AND attachment.content_type: "application/zip" AND email.from: "[email protected]"
Suggestion: Exclude emails sent by automated reporting tools like Power BI or Tableau Server that regularly export reports in .zip archives.
Scenario: User forwarding a .doc file as part of a team collaboration
Filter/Exclusion: email.subject:*"Fwd:"* AND attachment.filename: "*.doc" AND email.from: "[email protected]"
Suggestion: Exclude emails from internal collaboration platforms like Microsoft Teams or Slack that automatically forward documents.
Scenario: System-generated email with a .zip attachment containing a .doc for audit purposes
Filter/Exclusion: attachment.filename: "*.zip" AND email.from: "[email protected]" AND email.subject:*"Audit Report"*
Suggestion: Exclude emails from the SIEM system or log management tools like Splunk or ELK Stack that generate audit reports.
Scenario: User attaching a .doc file as part of a standard email workflow
Filter/Exclusion: attachment.filename: "*.doc" AND email.from: "[email protected]" AND email.to: "[email protected]"
**