Admin Submissions by Submission Type (FN)

Hunt Hypothesis

Admins submitting emails with suspicious submission types may indicate an attempt to bypass standard filtering mechanisms, as adversaries often exploit administrative interfaces to exfiltrate data or execute malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential insider threats or compromised accounts that could be used for lateral movement or data exfiltration.

KQL Query

CloudAppEvents
| where ActionType contains "Submission"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType)
| extend Admin_SubmissionType=
iff(SubmissionType == "2" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail","Admin_Malware_FN",
iff(SubmissionType == "1" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail","Admin_Phish_FN",
iff(SubmissionType == "0" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail","Admin_Spam_FN",
iff(SubmissionType == "2" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="URL","Admin_Malware_URL_FN",
iff(SubmissionType == "2" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Attachment","Admin_Malware_Attach_FN",
iff(SubmissionType == "1" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="URL","Admin_Phish_URL_FN",
iff(SubmissionType == "1" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Attachment","Admin_Phish_Attach_FN",
"Other")))))))
| where Admin_SubmissionType!="Other"
| summarize count() by Admin_SubmissionType
| render piechart

Analytic Rule Definition

id: 71aeb41d-c85c-4569-bb08-6f1cd38bca49
name: Admin Submissions by Submission Type (FN)
description: |
  This query helps reviewing admin reported email submissions
description-detailed: |
  This query helps reviewing admin reported email submissions in Defender for Office 365
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - CloudAppEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  CloudAppEvents
  | where ActionType contains "Submission"
  | extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType)
  | extend Admin_SubmissionType=
  iff(SubmissionType == "2" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail","Admin_Malware_FN",
  iff(SubmissionType == "1" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail","Admin_Phish_FN",
  iff(SubmissionType == "0" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail","Admin_Spam_FN",
  iff(SubmissionType == "2" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="URL","Admin_Malware_URL_FN",
  iff(SubmissionType == "2" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Attachment","Admin_Malware_Attach_FN",
  iff(SubmissionType == "1" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="URL","Admin_Phish_URL_FN",
  iff(SubmissionType == "1" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Attachment","Admin_Phish_Attach_FN",
  "Other")))))))
  | where Admin_SubmissionType!="Other"
  | summarize count() by Admin_SubmissionType
  | render piechart
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`CloudAppEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Submissions/Admin Submissions by Submission Type - FN.yaml)

False Positive Guidance

Scenario: Scheduled email archiving job submits emails to the admin system
Filter/Exclusion: email_submission_type = "archiving" OR job_name LIKE "%archive%"
Scenario: System administrator uses the email submission tool to test email routing configurations
Filter/Exclusion: submitter_user = "admin_user" OR submission_reason = "test"
Scenario: Email analytics tool periodically submits aggregated email data for reporting
Filter/Exclusion: submission_type = "analytics" OR tool_name = "EmailAnalyticsTool_v2.1"
Scenario: User manually submits a support ticket via the admin portal, which triggers an email submission
Filter/Exclusion: submission_type = "support_ticket" OR submitter_role = "user"
Scenario: Email backup process submits emails to a central admin system for storage
Filter/Exclusion: submission_type = "backup" OR job_name LIKE "%backup%"