Admins submitting emails as false positives may indicate an adversary attempting to bypass email filtering mechanisms by mimicking legitimate administrative activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential evasion tactics and prevent unauthorized access.
KQL Query
CloudAppEvents
| where ActionType == "AdminSubmissionSubmitted"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType)
| extend Admin_SubmissionType=
iff(SubmissionType == "3" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail" ,"Admin_Email_FP",
"Other"),
P2SenderDomain=tostring((parse_json(RawEventData)).P2SenderDomain),NetworkMessageId=tostring((parse_json(RawEventData).ObjectId)),DetectionVerdict=tostring((parse_json(RawEventData)).DeliveryMessageInfo.FinalFilterVerdict),PolicyOverride=tostring((parse_json(RawEventData)).DeliveryMessageInfo.PolicyOverride),PolicyPolicyOverrideType=tostring((parse_json(RawEventData)).DeliveryMessageInfo.PolicySource)
| where SubmissionContentType == "Mail" and SubmissionType == "3"
| summarize count() by PolicyOverride,DetectionVerdict,Admin_SubmissionType
| project PolicyOverride, DetectionVerdict,Admin_SubmissionType, Emails = count_
| top 10 by Emails desc
// | render piechart // Uncomment this line to render as a graph
id: 4d525db4-ce23-49f7-844e-d06db21cdfa9
name: Admin Submissions by Detection Type
description: |
This query visualises all emails submitted as false positive by admins summarizing by the original filter verdict threat type
description-detailed: |
This query visualises all emails submitted as false positive by admins summarizing by the original filter verdict threat type
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "AdminSubmissionSubmitted"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType)
| extend Admin_SubmissionType=
iff(SubmissionType == "3" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail" ,"Admin_Email_FP",
"Other"),
P2SenderDomain=tostring((parse_json(RawEventData)).P2SenderDomain),NetworkMessageId=tostring((parse_json(RawEventData).ObjectId)),DetectionVerdict=tostring((parse_json(RawEventData)).DeliveryMessageInfo.FinalFilterVerdict),PolicyOverride=tostring((parse_json(RawEventData)).DeliveryMessageInfo.PolicyOverride),PolicyPolicyOverrideType=tostring((parse_json(RawEventData)).DeliveryMessageInfo.PolicySource)
| where SubmissionContentType == "Mail" and SubmissionType == "3"
| summarize count() by PolicyOverride,DetectionVerdict,Admin_SubmissionType
| project PolicyOverride, DetectionVerdict,Admin_SubmissionType, Emails = count_
| top 10 by Emails desc
// | render piechart // Uncomment this line to render as a graph
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Job Submission
Description: A scheduled backup job (e.g., via Veeam, Commvault, or native OS tools) submits emails as part of its operation, which may be flagged due to the email submission action.
Filter/Exclusion: email_subject contains "backup" OR email_sender contains "backup@domain.com"
Scenario: Admin-Initiated Email Archiving Task
Description: An admin uses an email archiving tool (e.g., Microsoft Exchange Archiving, Mimecast) to archive emails, which may trigger the rule due to the submission of archived emails.
Filter/Exclusion: email_subject contains "archive" OR email_sender contains "archive@domain.com"
Scenario: User-Submitted Email for Review by Admin
Description: An admin manually reviews an email submission (e.g., via Microsoft Defender for Office 365 or CrowdStrike Falcon) and submits it for further analysis, which may be flagged as a false positive.
Filter/Exclusion: email_sender contains "admin@domain.com" OR email_subject contains "review"
Scenario: Automated Email Notification from Monitoring Tools
Description: An admin tool (e.g., Nagios, Splunk, or Datadog) sends automated email notifications, which may be flagged due to the email submission action.
Filter/Exclusion: email_subject contains "alert" OR email_sender contains "nagios@domain.com"
Scenario: Email Submission for Threat Intelligence Sharing
Description: An admin submits an email to a threat intelligence platform (e.g., Mandiant, Recorded Future, or CrowdStrike) for analysis, which may be flagged as a false positive.
Filter/Exclusion: email_sender contains "ti@domain.com" OR email_subject contains "threat intel"