Email Top 10 Domains sending Spam

Hunt Hypothesis

Adversaries may use compromised email accounts to send spam from top domains, leveraging trusted domains to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control channels or phishing campaigns.

KQL Query

//This query visualises total inbound emails with Spam detections summarizing the data by the top 10 email sender P2 domain (SenderFromDomain).
EmailEvents 
| where ThreatTypes has "Spam" and EmailDirection =="Inbound"
| where Timestamp > ago(30d) // last 30 days by default, replace 30d with the desired period
| summarize count() by SenderFromDomain
| sort by count_ desc 
| take 10
// | render piechart // Uncomment this line to render as a graph

Analytic Rule Definition

id: d5f1f876-9172-4e92-bfae-7ab0f94c9417
name: Email Top 10 Domains sending Spam
description: |
  This query visualises total inbound emails with Spam detections.
description-detailed: |
  This query visualises total inbound emails with Spam detections summarizing the data by the top 10 email sender P2 domain (SenderFromDomain) in Microsoft Defender for Office 365.
  Taken from the the Microsoft Defender for Office 365 Detections and Insights - Microsoft Sentinel workbook.
  https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  //This query visualises total inbound emails with Spam detections summarizing the data by the top 10 email sender P2 domain (SenderFromDomain).
  EmailEvents 
  | where ThreatTypes has "Spam" and EmailDirection =="Inbound"
  | where Timestamp > ago(30d) // last 30 days by default, replace 30d with the desired period
  | summarize count() by SenderFromDomain
  | sort by count_ desc 
  | take 10
  // | render piechart // Uncomment this line to render as a graph
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`EmailEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Spam/Spam Detection Top10 Domains.yaml)

False Positive Guidance

Scenario: Internal email relaying by a legitimate email relay tool like Postfix or Exchange Transport Server
Filter/Exclusion: Exclude emails originating from internal IP ranges or internal DNS domains (e.g., source.domain = "internal.corp")
Scenario: Automated email reporting from a SIEM tool like Splunk or ELK Stack
Filter/Exclusion: Exclude emails with specific subject lines or headers indicating automated reports (e.g., header "Subject" contains "Automated Report")
Scenario: Scheduled job notifications from Jenkins, Airflow, or Ansible
Filter/Exclusion: Exclude emails with specific sender addresses used by CI/CD tools (e.g., source.email = "jenkins@devops.corp")
Scenario: Email alerts from SIEM or SOC team members using Microsoft Teams or Slack
Filter/Exclusion: Exclude emails from known alerting email addresses (e.g., source.email = "alerts@security.corp")
Scenario: Email testing or simulation by Mailgun, SendGrid, or Amazon SES
Filter/Exclusion: Exclude emails with specific headers or metadata indicating test emails (e.g., header "X-Mailgun-Message-ID" exists)