LemonDuck malware may use crafted email subjects to lure victims into executing malicious payloads, leveraging social engineering to spread its botnet and mining operations. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage LemonDuck campaigns and prevent network compromise.
KQL Query
EmailEvents
| where Subject in ('The Truth of COVID-19','COVID-19 nCov Special info WHO','HALTH ADVISORY:CORONA VIRUS',
'WTF','What the fcuk','good bye','farewell letter','broken file','This is your order?')
| where AttachmentCount >= 1
id: 735d4b69-7613-4d86-afb1-7ce64ee7dffb
name: LemonDuck-email-subjects
description: |
LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
- Lateral movement
query: |
EmailEvents
| where Subject in ('The Truth of COVID-19','COVID-19 nCov Special info WHO','HALTH ADVISORY:CORONA VIRUS',
'WTF','What the fcuk','good bye','farewell letter','broken file','This is your order?')
| where AttachmentCount >= 1
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled system maintenance job with a subject containing “LemonDuck”
Filter/Exclusion: Exclude events where the email subject matches a known system maintenance job name, e.g., subject =~ "LemonDuck Maintenance Job"
Scenario: Admin using a tool like Microsoft Exchange Online Protection (EOP) to send test emails with subject lines for testing
Filter/Exclusion: Exclude emails sent from the admin email address used for EOP testing, e.g., from =~ "[email protected]"
Scenario: Employee using Outlook Web App (OWA) to send internal emails with subject lines containing “LemonDuck” as part of a project name
Filter/Exclusion: Exclude emails where the sender is in the internal admin group or the subject includes a project identifier, e.g., subject =~ "LemonDuck Project Update"
Scenario: Automated backup process using Veeam Backup & Replication sends emails with subject lines containing “LemonDuck” for log clarity
Filter/Exclusion: Exclude emails from the backup service account, e.g., from =~ "[email protected]"
Scenario: IT team using PowerShell to generate reports with subject lines containing “LemonDuck” for internal documentation
Filter/Exclusion: Exclude emails where the source is a known reporting script or the subject includes a report identifier, e.g., subject =~ "LemonDuck Report - Daily"