Emails containing links to IP addresses

Hunt Hypothesis

Emails containing links to IP addresses may indicate an adversary attempting to exfiltrate data or establish command and control channels, as such links could be used to redirect users to malicious sites. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing or malware distribution campaigns early.

KQL Query

EmailUrlInfo
| where Url matches regex @"file://(?:[0-9]{1,3}\.){3}[0-9]{1,3}"

Analytic Rule Definition

id: 8e9a96dd-f85d-4f5e-a65f-dcc55d6d9935
name: Emails containing links to IP addresses
description: |
  This query helps hunting for Emails containing links to IP addresses
description-detailed: |
  This query helps hunting for Emails containing links to IP addresses using Defender for Office 365 data
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  EmailUrlInfo
  | where Url matches regex @"file://(?:[0-9]{1,3}\.){3}[0-9]{1,3}"
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`EmailUrlInfo`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Hunting/Emails containing links to IP addresses.yaml)

False Positive Guidance

Scenario: Scheduled system health check emails sent by Microsoft Intune or Microsoft Endpoint Manager that include links to internal IP addresses for diagnostics.
Filter/Exclusion: Exclude emails originating from the Intune service account or Microsoft 365 admin center.
Scenario: Ansible or Puppet job completion emails that contain links to internal IP addresses for asset inventory or configuration verification.
Filter/Exclusion: Exclude emails sent by Ansible ad-hoc commands or Puppet agent reports running under system service accounts.
Scenario: Splunk or ELK Stack alerts sent via email that include links to internal IP addresses for log analysis or correlation.
Filter/Exclusion: Exclude emails from Splunk alerts or Kibana alerting configured with internal IP whitelists.
Scenario: Jenkins or GitLab CI/CD pipeline status emails that include links to internal IP addresses for build servers or artifact storage.
Filter/Exclusion: Exclude emails from Jenkins service accounts or GitLab runners configured with internal IP whitelists.
Scenario: Azure DevOps or GitHub Actions notification emails that include links to internal IP addresses for CI/CD infrastructure.
Filter/Exclusion: Exclude emails from Azure DevOps service connections or GitHub Actions runners with internal IP whitelists.