Hunt for threats across devices and emails
- Microsoft Threat Protection
Advanced hunting in Microsoft Threat Protection allows you to proactively hunt for threats across your Windows devices and Microsoft emails. Here are some hunting scenarios and sample queries that can help you explore how you might construct queries covering both devices and emails.
Obtain user accounts from email addresses
When constructing queries across tables that cover devices and emails, you will likely need to obtain user account names from sender or recipient email addresses. To do this use the local-host from the email address:
AccountName = tostring(split(SenderFromAddress, "@"))
This normalization technique is used in the succeeding scenarios.
Check if files from a known malicious sender are on your devices
Assuming you know of an email address sending malicious files, you can run this query to determine if files from this sender exist on your devices. You can use this query, for example, to determine the number of devices affected by a malware distribution campaign.
//Get prevalence of files sent by a malicious sender in your organization EmailAttachmentInfo | where SenderFromAddress =~ "MaliciousSender@example.com" | where isnotempty(SHA256) | join ( DeviceFileEvents | project FileName, SHA256 ) on SHA256
Review logon attempts after receipt of malicious emails
This query finds the 10 latest logons performed by email recipients within 30 minutes after they received known malicious emails. You can use this query to check whether the accounts of the email recipients have been compromised.
//Find logons that occurred right after malicious email was received let MaliciousEmail=EmailEvents | where MalwareFilterVerdict == "Malware" | project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")); MaliciousEmail | join ( DeviceLogonEvents | project LogonTime = Timestamp, AccountName, DeviceName ) on AccountName | where (LogonTime - TimeEmail) between (0min.. 30min) | take 10
Review PowerShell activities after receipt of emails from known malicious sender
Malicious emails often contain documents and other specially crafted attachments that run PowerShell commands to deliver additional payloads. If you are aware of emails coming from a known malicious sender, you can use this query to list and review PowerShell activities that occurred within 30 minutes after an email was received from the sender .
//Find PowerShell activities right after email was received from malicious sender let x=EmailEvents | where SenderFromAddress =~ "MaliciousSender@example.com" | project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")); x | join ( DeviceProcessEvents | where FileName =~ "powershell.exe" //| where InitiatingProcessParentFileName =~ "outlook.exe" | project TimeProc = Timestamp, AccountName, DeviceName, InitiatingProcessParentFileName, InitiatingProcessFileName, FileName, ProcessCommandLine ) on AccountName | where (TimeProc - TimeEmail) between (0min.. 30min)