EOL Hunting: Malware Detection and Analysis

Malware Detection and Analysis

Malware delivered through email is another major threat in Exchange Online. Attackers use phishing emails, infected attachments, or malicious links to spread malware such as ransomware or Trojans.

Malware Indicators to Look For:

• Suspicious Attachments: Emails containing unusual file types (e.g., .exe, .js, or macro-enabled files like .docm).

• Unusual Email Activity: Sudden surges in email activity from a user’s mailbox, such as mass emailing of infected attachments.

Using Message Trace to Identify Specific Emails:

• Message Trace can be used to identify emails containing suspicious attachments or links.

Using Safe Attachments and Safe Links for Malware Detection:

• Safe Attachments will automatically analyze and sandbox suspicious attachments, helping you detect malware in its early stages.

• Safe Links will log clicks on malicious URLs, which could be leading users to download malware.

Analyzing Malware Detected by Defender for Office 365:

• Use the Threat Explorer tool to investigate malware detections, focusing on patterns such as multiple users receiving the same attachment or clicking on the same malicious link.

Threat Hunting Insight:

• Containment of Malware Spread: Use Message Trace and audit logs to contain the spread of malware by tracking the distribution of infected attachments and isolating affected mailboxes.