KQL Search

Query Details

HomeAI ToolsDevice Query

Malware Sending Domains With Inbox Delivery

Query

//This query identify domains that have been detected by Microsoft Defender XDR sending malware by email
//but it filter the cases where these domains, has been able to deliver emails into Inbox Folders without being detected
let th_SenderIP = 
 EmailEvents
 // decide type of Threat to review
| where ThreatTypes contains "Malware"
// add your trusted Public IP in the following list
| where SenderIPv4 !in ("93.93.93.93", "45.45.45.45")
| summarize total = count() by ThreatTypes,SenderIPv4
// decides the minimum threats that a SenderIP has sent to be on the list
| where total > 1
| distinct SenderIPv4;
 EmailEvents
| where SenderIPv4 in (th_SenderIP)
| extend DomainExtension = split(SenderFromAddress, ".")[-1]
 | where DeliveryLocation contains "Inbox"
 | where isempty(ThreatTypes)
 | extend countryip = geo_info_from_ip_address(SenderIPv4)
 | extend countryip = parse_json(countryip).country
| where isnotempty(SenderIPv4)
| project Timestamp, DomainExtension, countryip ,SenderIPv4, SenderFromDomain, ThreatTypes, RecipientEmailAddress, Subject, DeliveryLocation

Explanation

This query is designed to identify suspicious domains that have successfully sent malware via email, specifically when these emails have bypassed detection and ended up in inbox folders. Here's a simplified breakdown of what the query does:

  1. Identify Malicious Senders:

    • It starts by looking at email events where the threat type is "Malware".
    • It excludes emails from certain trusted IP addresses (e.g., "93.93.93.93" and "45.45.45.45").
    • It counts the number of malware threats associated with each sender's IP address.
    • It filters out IP addresses that have sent malware less than twice, focusing on those with more than one incident.

  2. Filter Successful Deliveries:

    • It then checks emails from the identified suspicious IP addresses.
    • It extracts the domain extension from the sender's email address.
    • It focuses on emails that were delivered to the inbox and had no threat types detected.
    • It retrieves geographical information based on the sender's IP address to determine the country.

  3. Output Relevant Information:

    • Finally, it outputs details such as the timestamp, domain extension, country of the sender's IP, sender's IP address, sender's domain, recipient's email address, email subject, and delivery location.

In essence, this query helps in identifying domains that have managed to send malware-laden emails into inboxes without being flagged, providing insights into potentially dangerous senders and their geographical origins.

Details

Sergio Albea profile picture

Sergio Albea

Released: November 10, 2024

Tables

EmailEvents

Keywords

EmailEvents

Operators

letcontains!insummarizecountby>distinctinextendsplit[]isemptygeo_info_from_ip_addressparse_jsonisnotemptyproject

Actions