Adversaries may target specific users with spam to gather intelligence or initiate phishing campaigns, leveraging T1566 techniques to compromise organizational accounts. Proactively hunting for this behavior in Azure Sentinel enables early detection of potential spear-phishing attempts and mitigates the risk of credential compromise.
KQL Query
//This query visualises total inbound emails with Spam detections summarizing the data by the top 10 recipient email address (RecipientEmailAddress).
EmailEvents
| where ThreatTypes has "Spam" and EmailDirection =="Inbound"
| where Timestamp > ago(30d) // last 30 days by default, replace 30d with the desired period
| summarize count() by RecipientEmailAddress
| sort by count_ desc
| take 10
| render piechart // Uncomment this line to render as a graph
id: 22ae82b3-a362-4fc6-801d-d7fed7442d46
name: Email Top 10 Targeted Users (Spam)
description: |
This query visualises top 10 users targeted with Spam.
description-detailed: |
This query visualises total inbound emails with Spam detections summarizing the data by the top 10 recipient email address (RecipientEmailAddress).
Taken from the the Microsoft Defender for Office 365 Detections and Insights - Microsoft Sentinel workbook.
https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//This query visualises total inbound emails with Spam detections summarizing the data by the top 10 recipient email address (RecipientEmailAddress).
EmailEvents
| where ThreatTypes has "Spam" and EmailDirection =="Inbound"
| where Timestamp > ago(30d) // last 30 days by default, replace 30d with the desired period
| summarize count() by RecipientEmailAddress
| sort by count_ desc
| take 10
| render piechart // Uncomment this line to render as a graph
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled Email Backup Job
Description: A legitimate scheduled job runs nightly to back up user email data, sending emails to multiple users for archival.
Filter/Exclusion: Exclude emails sent from a known backup service account (e.g., backup@domain.com) or filter by sender_email containing “backup” or “archive”.
Scenario: User-Initiated Email Forwarding
Description: Users forward emails to multiple colleagues as part of a team collaboration process, which may appear as targeted spam.
Filter/Exclusion: Exclude emails where the from_email is a user account and the to_emails list includes multiple internal users (e.g., using from_email in user@domain.com and to_emails with count() > 5).
Scenario: System-Wide Email Notification
Description: A system-wide email notification is sent to all users about an upcoming maintenance window or policy change.
Filter/Exclusion: Exclude emails sent from a known system admin account (e.g., admin@domain.com) or filter by subject containing keywords like “maintenance”, “update”, or “policy”.
Scenario: Marketing Campaign Distribution
Description: A marketing team sends a bulk email campaign to a list of internal users for product announcements or training.
Filter/Exclusion: Exclude emails sent from a marketing service account (e.g., marketing@domain.com) or filter by sender_email matching known marketing domains.
Scenario: Admin Task Email Notification
Description: An admin task, such as a user provisioning or deprovisioning, sends an email to multiple users or groups.
Filter/Exclusion: Exclude emails sent from an admin service account (e.g., admin@domain.com) or filter by subject containing “user