Malicious Excel Delivery

Hunt Hypothesis

Bazacall leverages malicious Excel files to deliver and execute payloads on compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential lateral movement and persistence tactics early.

KQL Query

DeviceFileEvents
| where FileOriginUrl has "/cancel.php" and FileOriginReferrerUrl has "/account"
  or FileOriginUrl has "/download.php" and FileOriginReferrerUrl has "/case"

Analytic Rule Definition

id: 6fa3cf44-517f-4ce5-8727-948b0783b507
name: Malicious Excel Delivery
description: |
  Bazacall uses malicious Excel files to execute payloads on affected devices.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileEvents
tactics:
- Initial access
query: |
  DeviceFileEvents
  | where FileOriginUrl has "/cancel.php" and FileOriginReferrerUrl has "/account"
    or FileOriginUrl has "/download.php" and FileOriginReferrerUrl has "/case"

Required Data Sources

Sentinel Table	Notes
`DeviceFileEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Initial access

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Bazacall/Malicious Excel Delivery.yaml)

False Positive Guidance

Scenario: Scheduled Excel Report Generation
Description: A system administrator schedules a daily Excel report using Microsoft Excel (e.g., Power Query or Power Pivot) that is generated from a database.
Filter/Exclusion: process.parent_process_name:"Microsoft Excel" AND process.name:"Excel.exe" AND event_id:100
Note: Exclude processes originating from known reporting tools or scheduled tasks with known benign behavior.
Scenario: Automated Data Migration Using Excel
Description: A data migration tool (e.g., Alteryx, Informatica, or SQL Server Integration Services) exports data to Excel as part of an ETL process.
Filter/Exclusion: process.name:"Excel.exe" AND process.parent_process_name:"Alteryx" OR process.parent_process_name:"Informatica"
Note: Exclude Excel usage by known ETL or data integration tools.
Scenario: User-Initiated Excel File Sharing
Description: An employee shares a legitimate Excel file (e.g., SalesReport.xlsx) with a colleague via email or a file-sharing platform.
Filter/Exclusion: process.name:"Excel.exe" AND file.name:"SalesReport.xlsx" AND user.name:"[Known User]"
Note: Exclude files that are known to be shared internally and have a documented purpose.
Scenario: System Maintenance Task Using Excel
Description: A system maintenance task (e.g., Task Scheduler) runs a script that opens an Excel file to perform data validation or cleanup.
Filter/Exclusion: process.name:"Excel.exe" AND event_id:100 AND task_name:"System Maintenance"
Note: Exclude tasks that are part of a known maintenance or compliance process.
Scenario: Third-Party Application Integration
Description: A