Email Generic Phishing

Hunt Hypothesis

Adversaries may use generic phishing emails to initiate initial contact and gather credentials, leveraging low-severity indicators to blend in with normal email traffic. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage phishing attempts before they lead to credential compromise or data exfiltration.

YARA Rule

rule Email_Generic_Phishing : email
{
  meta:
		Author = "Tyler <@InfoSecTyler>"
		Description ="Generic rule to identify phishing emails"

  strings:
    $eml_1="From:"
    $eml_2="To:"
    $eml_3="Subject:"

    $greeting_1="Hello sir/madam" nocase
    $greeting_2="Attention" nocase
    $greeting_3="Dear user" nocase
    $greeting_4="Account holder" nocase

    $url_1="Click" nocase
    $url_2="Confirm" nocase
    $url_3="Verify" nocase
    $url_4="Here" nocase
    $url_5="Now" nocase
    $url_6="Change password" nocase 

    $lie_1="Unauthorized" nocase
    $lie_2="Expired" nocase
    $lie_3="Deleted" nocase
    $lie_4="Suspended" nocase
    $lie_5="Revoked" nocase
    $lie_6="Unable" nocase

  condition:
    all of ($eml*) and
    any of ($greeting*) and
    any of ($url*) and
    any of ($lie*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 19 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Systematic Email Archiving Job
  Description: A scheduled job runs to archive old emails using a tool like Microsoft Exchange Archiving or Mailscape.
  Filter/Exclusion: Exclude emails sent to or from the Archive mailbox or filter by message header field X-MS-Exchange-Organization-Archive.

• Scenario: Internal Email Notification for System Updates
  Description: An admin sends an internal email using Microsoft Outlook or Google Workspace to notify users about a system update.
  Filter/Exclusion: Exclude emails sent from admin@domain.com or notifications@domain.com and filter by subject line containing “System Update”.

• Scenario: Automated Email Reporting from SIEM Tool
  Description: A SIEM tool like Splunk or IBM QRadar sends an automated email report to the security team.
  Filter/Exclusion: Exclude emails sent from the SIEM service account or filter by sender IP address associated with the SIEM server.

• Scenario: User-Initiated Email Forwarding for Collaboration
  Description: A user forwards an email to a team using Microsoft Teams or Slack, which triggers an email notification.
  Filter/Exclusion: Exclude emails with “Forwarded” in the subject line or filter by message header X-Forwarded-For.

• Scenario: Email Alerts from Security Tools (e.g., Wazuh)
  Description: A security tool like Wazuh sends an email alert to the SOC team about a potential threat.
  Filter/Exclusion: Exclude emails sent from the Wazuh alert service account or filter by subject line containing “Wazuh Alert”.