Qakbot email theft | SOC Hunt Feed

Hunt Hypothesis

The Qakbot email theft hypothesis detects adversaries exfiltrating email credentials from compromised endpoints to gain unauthorized access to email accounts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate Qakbot-related email theft campaigns before lateral movement and data exfiltration occur.

KQL Query

DeviceFileEvents
| where InitiatingProcessFileName =~ 'ping.exe'
| where FileName endswith '.eml'

Analytic Rule Definition

id: 20b3ece3-7d4a-4952-914b-88623ccf6c09
name: Qakbot email theft
description: |
  Use this query to find email stealing activities ran by Qakbot that will use "ping.exe -t 127.0.0.1" to obfuscate subsequent actions.
  Email theft that occurs might be exfiltrated to operators and indicates that the malware completed a large portion of its automated activity without interruption.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileEvents
tactics:
- Collection
query: |
  DeviceFileEvents
  | where InitiatingProcessFileName =~ 'ping.exe'
  | where FileName endswith '.eml'

Required Data Sources

Sentinel Table	Notes
`DeviceFileEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Collection

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Qakbot/Qakbot email theft.yaml)

False Positive Guidance

Scenario: System Administrator Performing Scheduled Email Backup
Description: A system admin runs a scheduled PowerShell script using Out-File or Export-Csv to back up user emails to a secure server.
Filter/Exclusion: Exclude processes initiated by the admin account with cmdline containing backup, export, or Out-File and with destination paths in a known backup directory.
Scenario: IT Team Using Microsoft Exchange Online PowerShell Cmdlets
Description: IT administrators use Get-Mailbox or Export-Mailbox cmdlets to archive or migrate user emails as part of routine maintenance.
Filter/Exclusion: Exclude processes with cmdline containing Export-Mailbox, Get-Mailbox, or Move-Mailbox and originating from the IT admin group or service account.
Scenario: Automated Job for Email Archiving via Microsoft Graph API
Description: A third-party email archiving tool uses the Microsoft Graph API to periodically archive emails to a cloud storage service.
Filter/Exclusion: Exclude processes with cmdline containing microsoft-graph or GraphAPI and with destination paths in a known cloud storage bucket.
Scenario: User-Initiated Email Export for Compliance Purposes
Description: A user exports their own emails using a legitimate email client (e.g., Outlook) to a local drive for compliance or legal reasons.
Filter/Exclusion: Exclude processes with cmdline containing Outlook.exe or Export to PST and with user accounts flagged as non-malicious or whitelisted.
Scenario: System Task for Email Log Analysis
Description: A system task runs a script using Get-EventLog or Get-Event to analyze email logs for auditing or troubleshooting.
Filter/Exclusion: Exclude