Adversaries may be using high confidence phishing emails to deliver malicious payloads or exfiltrate data after bypassing initial email security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise early in the attack lifecycle.
KQL Query
CloudAppEvents
| where ActionType == "QuarantineReleaseMessage"
| project ReleaseTime = Timestamp, ResultStatus = RawEventData.ResultStatus, ActionType, ReleasedBy = tostring(RawEventData.UserId), NetworkMessageId = tostring(RawEventData.NetworkMessageId), ReleaseTo = RawEventData.ReleaseTo
| join kind=inner (
EmailEvents
| where todynamic(ConfidenceLevel).Phish == "High"
| project-rename EmailTime = Timestamp
) on NetworkMessageId
| project-away NetworkMessageId1
| order by ReleaseTime asc
id: 9e8faa62-7222-48a5-a78f-ef2d22f866dc
name: High Confidence Phish Released
description: |
This query shows information about high confidence phish email that has been released from the Quarantine.
description-detailed: |
This query shows information about high confidence phish email that has been released from the Quarantine in Defender for Office 365. The details include the time each email was released and who it was released by.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "QuarantineReleaseMessage"
| project ReleaseTime = Timestamp, ResultStatus = RawEventData.ResultStatus, ActionType, ReleasedBy = tostring(RawEventData.UserId), NetworkMessageId = tostring(RawEventData.NetworkMessageId), ReleaseTo = RawEventData.ReleaseTo
| join kind=inner (
EmailEvents
| where todynamic(ConfidenceLevel).Phish == "High"
| project-rename EmailTime = Timestamp
) on NetworkMessageId
| project-away NetworkMessageId1
| order by ReleaseTime asc
version: 1.0.0 | Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled Quarantine Release by Security Team
Description: A security administrator schedules a batch release of emails from quarantine as part of a routine review or investigation.
Filter/Exclusion: email_subject:*Scheduled Quarantine Release* OR email_sender:*security-team@company.com*
Scenario: Legitimate Email Recovery via Admin Task
Description: An admin uses the email security tool (e.g., Microsoft Defender for Office 365) to recover a legitimate email that was mistakenly quarantined.
Filter/Exclusion: tool:*Microsoft Defender for Office 365* AND action:*recover email*
Scenario: Automated Quarantine Release for Compliance Audit
Description: A compliance task or script automatically releases emails from quarantine to support an audit or legal request.
Filter/Exclusion: task_name:*Compliance Audit Release* OR tool:*Microsoft Purview*
Scenario: False Positive from Third-Party Email Verification Tool
Description: A third-party email verification tool (e.g., Clearbit) incorrectly flags a legitimate email as phishing and quarantines it.
Filter/Exclusion: tool:*Clearbit* OR source:*third-party verification*
Scenario: User-Initiated Email Recovery via Web Interface
Description: A user accesses the email security portal (e.g., Cisco Secure Email) and manually requests the release of an email they believe is legitimate.
Filter/Exclusion: tool:*Cisco Secure Email* AND action:*user-initiated release*