IcedId email delivery | SOC Hunt Feed

Hunt Hypothesis

The IcedId email delivery detection rule identifies potential adversary activity where malicious emails are used to deliver the IcedId malware, which can lead to ransomware deployment. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage phishing campaigns that could escalate to data exfiltration or ransomware attacks.

KQL Query

EmailUrlInfo 
| where Url matches regex @"\bsites\.google\.com\/view\/(?:id)?\d{9,}\b" 
| join EmailEvents on NetworkMessageId // Note: Replace the following subject lines with the one generated by your website's Contact submission form if no results return initially 
| where Subject has_any('Contact Us', 'New Submission', 'Contact Form', 'Form submission')

Analytic Rule Definition

id: 1d8393fe-e363-40c1-8efb-66cf1ad68a05
name: IcedId email delivery
description: |
  Use this query to locate emails and malicious downloads related to the IcedId activity that can lead to ransomware
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailUrlInfo
  - EmailEvents
tactics:
- Initial access
- Ransomware
query: |
  EmailUrlInfo 
  | where Url matches regex @"\bsites\.google\.com\/view\/(?:id)?\d{9,}\b" 
  | join EmailEvents on NetworkMessageId // Note: Replace the following subject lines with the one generated by your website's Contact submission form if no results return initially 
  | where Subject has_any('Contact Us', 'New Submission', 'Contact Form', 'Form submission')

Required Data Sources

Sentinel Table	Notes
`EmailEvents`	Ensure this data connector is enabled
`EmailUrlInfo`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Initial access
Tactic: Ransomware

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Ransomware/IcedId email delivery.yaml)

False Positive Guidance

Scenario: Legitimate email delivery by IT support team
Description: IT administrators send out emails with attachments (e.g., .zip files) containing software updates or configuration files.
Filter/Exclusion: from: "IT Support <[email protected]>" or subject: "System Update - Do Not Open", or check for attachment_type: "software_update"
Scenario: Scheduled system backup job
Description: A scheduled job runs nightly to back up user data, which may involve downloading or transferring files via email.
Filter/Exclusion: source: "[email protected]" or job_name: "Nightly_Backup_Job", or check for file_name: "backup_*.zip"
Scenario: Admin task involving file transfer via email
Description: An admin uses a tool like Microsoft Power Automate or ServiceNow to send files (e.g., logs, reports) to another team via email.
Filter/Exclusion: sender: "[email protected]" or tool_used: "Power_Automate", or check for file_type: "log_file"
Scenario: User-generated email with sensitive data
Description: A user sends an email with sensitive data (e.g., financial reports) to a colleague, which may include attachments.
Filter/Exclusion: sender: "[email protected]" or recipient: "[email protected]", or check for file_name: "report_*.pdf"
Scenario: Email-based software deployment
Description: IT uses Microsoft Intune or Microsoft Endpoint Manager to deploy software via email, which may include executable or script files.
Filter/Exclusion: tool_used: "Intune", or `