Good emails from senders with bad patterns

Hunt Hypothesis

Adversaries may use legitimate email accounts with compromised credentials to send seemingly benign emails that mimic trusted internal communication, leveraging T1566 to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential compromise and insider threat activity early.

KQL Query

//Good emails from senders with bad patterns
let PctPhishThreshold = 50;
let LookbackWindow = 1d;
 EmailEvents
| where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound"
| extend PhishMethods=tostring(parse_json(DetectionMethods).Phish)
| where PhishMethods contains ("File") or PhishMethods contains ("URL") or PhishMethods contains ("Filter")
| summarize PhishCount=count() by SenderMailFromAddress,AuthenticationDetails,PhishMethods
| join kind=inner (EmailEvents | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound"
| summarize TotalCount=count() by SenderMailFromAddress,AuthenticationDetails) on SenderMailFromAddress,AuthenticationDetails
| project-away SenderMailFromAddress1,AuthenticationDetails1
| extend PctPhish = (PhishCount*100 / TotalCount)
| where PctPhish < 100 and PctPhish>= PctPhishThreshold
| join kind=inner (EmailEvents | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound" and DeliveryLocation<> "Quarantine") on SenderMailFromAddress,AuthenticationDetails

Analytic Rule Definition

id: e6259b03-622e-4e11-9c54-94987dad7c14
name: Good emails from senders with bad patterns
description: |
  This query helps hunting for good emails from senders with bad patterns
description-detailed: |
  This query helps hunting for good emails from senders with bad patterns using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
    //Good emails from senders with bad patterns
    let PctPhishThreshold = 50;
    let LookbackWindow = 1d;
     EmailEvents
    | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound"
    | extend PhishMethods=tostring(parse_json(DetectionMethods).Phish)
    | where PhishMethods contains ("File") or PhishMethods contains ("URL") or PhishMethods contains ("Filter")
    | summarize PhishCount=count() by SenderMailFromAddress,AuthenticationDetails,PhishMethods
    | join kind=inner (EmailEvents | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound"
    | summarize TotalCount=count() by SenderMailFromAddress,AuthenticationDetails) on SenderMailFromAddress,AuthenticationDetails
    | project-away SenderMailFromAddress1,AuthenticationDetails1
    | extend PctPhish = (PhishCount*100 / TotalCount)
    | where PctPhish < 100 and PctPhish>= PctPhishThreshold
    | join kind=inner (EmailEvents | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound" and DeliveryLocation<> "Quarantine") on SenderMailFromAddress,AuthenticationDetails
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`EmailEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Hunting/Good emails from senders with bad patterns.yaml)

False Positive Guidance

Scenario: Scheduled Job Notifications from System Admin Tools
Description: Automated system maintenance jobs (e.g., cron, Task Scheduler, or tools like Ansible, SaltStack, or Jenkins) may send emails with suspicious sender patterns (e.g., root@localhost, admin@domain.com) but are legitimate.
Filter/Exclusion: Exclude emails sent by known system tools or scheduled jobs using the sender’s hostname or process ID. Example: sender_host = "localhost" OR sender_process = "cron".
Scenario: Internal Collaboration via Email with Poorly Formatted Addresses
Description: Internal teams may use poorly formatted email addresses (e.g., john.doe@company.com vs. john.doe@company.com) due to misconfigured email clients or legacy systems.
Filter/Exclusion: Exclude emails from internal domains or users with known internal email patterns using a regex or domain-based filter. Example: sender_domain IN ("company.com", "internal.company.com").
Scenario: Email Alerts from SIEM Tools (e.g., Splunk, ELK, QRadar)
Description: Security Information and Event Management (SIEM) tools often send alerts with sender addresses that appear suspicious (e.g., siem@company.com, splunk@company.com) but are legitimate.
Filter/Exclusion: Exclude emails from known SIEM tools using sender address matching or by checking the X-Source or X-Alert-From headers. Example: sender_address = "siem@company.com".
Scenario: Email Notifications from Cloud Services (e.g., AWS, Azure, GCP)
Description: Cloud platforms may send notifications with sender addresses that look like they’re from external domains (e.g., notifications@aws.com, `alerts@g