Adversaries may use bulk email campaigns with high complaint levels to distribute malicious content or phishing payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential spear-phishing or malware distribution attempts early.
KQL Query
//This query visualises total inbound emails which has any Bulk complaint level. It is summarizing the data by the various Bulk Complaint levels to understand how many messages are detected with each Bulk Complaint level.
EmailEvents
| where EmailDirection == "Inbound" and BulkComplaintLevel !=""
| where Timestamp > ago(30d) // last 30 days by default, replace 30d with the desired period
| summarize count() by BulkComplaintLevel
| sort by BulkComplaintLevel desc
| project BulkComplaintLevel,Emails=count_
id: 46837704-62cb-4e37-ae25-eecced47c0f4
name: Bulk Emails by Sender Bulk Complaint level
description: |
This query visualises total inbound emails which has any Bulk complaint level.
description-detailed: |
This query visualises total inbound emails which has any Bulk complaint level. It is summarizing the data by the various Bulk Complaint levels to understand how many messages are detected with each Bulk Complaint level in Microsoft Defender for Office 365.
Taken from the the Microsoft Defender for Office 365 Detections and Insights - Microsoft Sentinel workbook.
https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//This query visualises total inbound emails which has any Bulk complaint level. It is summarizing the data by the various Bulk Complaint levels to understand how many messages are detected with each Bulk Complaint level.
EmailEvents
| where EmailDirection == "Inbound" and BulkComplaintLevel !=""
| where Timestamp > ago(30d) // last 30 days by default, replace 30d with the desired period
| summarize count() by BulkComplaintLevel
| sort by BulkComplaintLevel desc
| project BulkComplaintLevel,Emails=count_
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled Email Reports via Email Server
Description: A legitimate scheduled job runs daily to send email reports to administrators using the email server. These emails are flagged due to the bulk complaint level.
Filter/Exclusion: Exclude emails sent from the email server’s internal reporting account (e.g., reports@company.com) or filter by source IP of the internal email server.
Scenario: Automated User Password Reset Emails
Description: A password reset tool sends bulk emails to users who have requested password resets. These emails are flagged as bulk complaints.
Filter/Exclusion: Exclude emails sent from the password reset service account (e.g., password-reset@company.com) or filter by subject line containing “Password Reset” or “Reset Your Password”.
Scenario: System-Wide Notification Emails via SIEM Tool
Description: A SIEM tool (e.g., Splunk, ELK) sends bulk notification emails to multiple users when an alert is triggered. These emails are flagged as bulk complaints.
Filter/Exclusion: Exclude emails sent from the SIEM tool’s notification account (e.g., siem-notifications@company.com) or filter by email headers indicating internal system-generated messages.
Scenario: Email Marketing Campaigns via Marketing Tool
Description: A marketing tool (e.g., Mailchimp, SendGrid) sends bulk marketing emails to customers. These emails are flagged due to the bulk complaint level.
Filter/Exclusion: Exclude emails sent from the marketing tool’s configured sender domain (e.g., marketing@company.com) or filter by email headers indicating marketing campaigns.
Scenario: Internal User Collaboration via Email Group
Description: A team uses an internal email group (e.g., project-team@company.com) to send bulk emails for project updates. These emails are flagged as bulk complaints.