Adversaries may use suspicious keywords in email subjects to lure users into opening malicious attachments or links, leveraging social engineering to initiate initial compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing campaigns early and prevent lateral movement or data exfiltration.
KQL Query
let PhishingKeywords = ()
{pack_array("account", "alert", "bank", "billing", "card", "change", "confirmation","login", "password", "mfa", "authorize", "authenticate", "payment", "urgent", "verify", "blocked");};
EmailEvents
| where Timestamp > ago(1d)
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| where isempty(SenderObjectId)
| where Subject has_any (PhishingKeywords())
id: 9b086a51-e396-4718-90d7-f7b3646e6581
name: Campaign with suspicious keywords
description: |
In this detection, we track emails with suspicious keywords in subjects.
description-detailed: |
In this detection, we track emails with suspicious keywords in subjects using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let PhishingKeywords = ()
{pack_array("account", "alert", "bank", "billing", "card", "change", "confirmation","login", "password", "mfa", "authorize", "authenticate", "payment", "urgent", "verify", "blocked");};
EmailEvents
| where Timestamp > ago(1d)
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| where isempty(SenderObjectId)
| where Subject has_any (PhishingKeywords())
version: 1.0.0 | Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled system maintenance email from IT department
Filter/Exclusion: Exclude emails sent by the IT department’s email address (from: it-support@company.com) or use a filter based on the subject containing “System Maintenance” or “Scheduled Maintenance”.
Scenario: Automated report generation by a business intelligence tool
Filter/Exclusion: Exclude emails sent by the BI tool’s service account (e.g., bi-service@company.com) or filter emails with subject containing “Report Generated” or “Daily Report”.
Scenario: Internal team communication with keyword in subject (e.g., “Urgent: Project Update”)
Filter/Exclusion: Exclude emails from internal teams using a specific domain or group (e.g., from: project-team@company.com) or filter emails with subject containing “Urgent” or “Project Update”.
Scenario: Email notifications from a CI/CD pipeline (e.g., Jenkins or GitLab)
Filter/Exclusion: Exclude emails sent by CI/CD tools using their service email (e.g., jenkins@company.com) or filter emails with subject containing “Build Status” or “Pipeline Notification”.
Scenario: Admin task notification from a monitoring tool (e.g., Nagios or Datadog)
Filter/Exclusion: Exclude emails sent by monitoring tools using their service email (e.g., nagios@company.com) or filter emails with subject containing “Alert” or “Notification”.