Admins submitting emails as spam false positives may indicate adversarial attempts to manipulate email filtering systems through malicious or deceptive content. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential evasion tactics and prevent false positives from being used as a vector for persistent threats.
KQL Query
CloudAppEvents
| where ActionType == "AdminSubmissionSubmitted"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType)
| extend Admin_SubmissionType=
iff(SubmissionType == "3" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail" ,"Admin_Email_FP",
"Other"),DetectionMethod=tostring((parse_json(RawEventData)).DeliveryMessageInfo.FinalFilterVerdictControlSource),
P2SenderDomain=tostring((parse_json(RawEventData)).P2SenderDomain),NetworkMessageId=tostring((parse_json(RawEventData).ObjectId)),DetectionVerdict=tostring((parse_json(RawEventData)).DeliveryMessageInfo.FinalFilterVerdict),PolicyOverride=tostring((parse_json(RawEventData)).DeliveryMessageInfo.PolicyOverride),PolicyPolicyOverrideType=tostring((parse_json(RawEventData)).DeliveryMessageInfo.PolicySource)
| where SubmissionContentType == "Mail" and SubmissionType == "3" and DetectionVerdict =="Spam"
| summarize count() by DetectionMethod
| project DetectionMethod,Emails = count_
// | render piechart // Uncomment this line to render as a graph
id: 8f031737-b561-47ef-960b-66d307ac01b1
name: Admin Submissions by DetectionMethod (Spam FP)
description: |
This query visualises the original detection technology of emails submitted as spam false positive by admins
description-detailed: |
This query visualises the original detection technology of emails submitted as spam false positive by admins
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "AdminSubmissionSubmitted"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType)
| extend Admin_SubmissionType=
iff(SubmissionType == "3" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail" ,"Admin_Email_FP",
"Other"),DetectionMethod=tostring((parse_json(RawEventData)).DeliveryMessageInfo.FinalFilterVerdictControlSource),
P2SenderDomain=tostring((parse_json(RawEventData)).P2SenderDomain),NetworkMessageId=tostring((parse_json(RawEventData).ObjectId)),DetectionVerdict=tostring((parse_json(RawEventData)).DeliveryMessageInfo.FinalFilterVerdict),PolicyOverride=tostring((parse_json(RawEventData)).DeliveryMessageInfo.PolicyOverride),PolicyPolicyOverrideType=tostring((parse_json(RawEventData)).DeliveryMessageInfo.PolicySource)
| where SubmissionContentType == "Mail" and SubmissionType == "3" and DetectionVerdict =="Spam"
| summarize count() by DetectionMethod
| project DetectionMethod,Emails = count_
// | render piechart // Uncomment this line to render as a graph
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Scheduled Email Archiving Job
Description: A scheduled job runs nightly to archive old emails to a compliance storage system, which may trigger the rule if the system is misconfigured to flag archived emails as spam.
Filter/Exclusion: email_subject NOT LIKE '%archive%' OR email_sender NOT IN ('archive@company.com', 'compliance@company.com')
Scenario: Admin Testing Spam Filtering Rules
Description: An admin manually tests a new spam filtering rule by submitting a sample email to the spam quarantine, which may be flagged by the detection rule.
Filter/Exclusion: email_sender LIKE '%admin%' OR email_subject LIKE '%test%' OR email_from IN ('admin@company.com', 'security@company.com')
Scenario: Email Forwarding from Internal Support Team
Description: The internal support team forwards emails to users as part of a troubleshooting process, which may be misinterpreted as spam submissions.
Filter/Exclusion: email_sender IN ('support@company.com', 'helpdesk@company.com') OR email_to NOT LIKE '%@company.com%'
Scenario: Automated Email Reporting Tool
Description: A tool like Microsoft Exchange Online Protection (EOP) or Cisco Secure Email automatically submits reports or logs to an internal system, which may be flagged as spam submissions.
Filter/Exclusion: email_sender LIKE '%reporting%' OR email_subject LIKE '%report%' OR email_from IN ('reporting@company.com', 'logs@company.com')
Scenario: User-Submitted Emails for Review
Description: Users submit emails to a central review mailbox (e.g., for legal or compliance review), which may be flagged as spam submissions by the detection rule.
Filter/Exclusion: `email_sender LIKE ‘%submit%’