Hunt for email conversation take over attempts

Hunt Hypothesis

Adversaries may attempt to take over email conversations by mimicking legitimate users to initiate or intercept communications, which can lead to data exfiltration or credential compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential spear-phishing or account compromise campaigns early.

KQL Query

let emailDelivered = EmailEvents
| where Timestamp < ago(4hrs)
and DeliveryAction == "Delivered"
| extend Pair = strcat(SenderMailFromAddress,"|",RecipientEmailAddress)
| distinct Pair;
let EmailDomains = EmailEvents
| where Timestamp < ago(4hrs)
and DeliveryAction == "Delivered"
| distinct SenderFromDomain;
EmailEvents
| where Timestamp >= ago(4hrs)
| where DeliveryLocation != "Quarantine"
and EmailDirection == "Inbound"
and OrgLevelAction != "Block"
and UserLevelAction != "Block"
| extend NewMsg = case(Subject contains "RE:", false, Subject contains "FW:", false, true )
| project Pair = strcat(SenderMailFromAddress,"|",RecipientEmailAddress), NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject
| join kind=leftouter ( emailDelivered ) on Pair
| order by SenderMailFromAddress
| where NewMsg == false
and Pair1 == ""
| join kind=leftouter (EmailDomains) on SenderFromDomain
| where SenderFromDomain1 == ""
| distinct Pair, NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject

Analytic Rule Definition

id: fb46ca1b-0b46-4d9c-b3b3-2f8f807e9f72
name: Hunt for email conversation take over attempts
description: |
  This query helps hunting for email conversation take over attempts
description-detailed: |
  This query helps hunting for email conversation take over attempts using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  let emailDelivered = EmailEvents
  | where Timestamp < ago(4hrs)
  and DeliveryAction == "Delivered"
  | extend Pair = strcat(SenderMailFromAddress,"|",RecipientEmailAddress)
  | distinct Pair;
  let EmailDomains = EmailEvents
  | where Timestamp < ago(4hrs)
  and DeliveryAction == "Delivered"
  | distinct SenderFromDomain;
  EmailEvents
  | where Timestamp >= ago(4hrs)
  | where DeliveryLocation != "Quarantine"
  and EmailDirection == "Inbound"
  and OrgLevelAction != "Block"
  and UserLevelAction != "Block"
  | extend NewMsg = case(Subject contains "RE:", false, Subject contains "FW:", false, true )
  | project Pair = strcat(SenderMailFromAddress,"|",RecipientEmailAddress), NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject
  | join kind=leftouter ( emailDelivered ) on Pair
  | order by SenderMailFromAddress
  | where NewMsg == false
  and Pair1 == ""
  | join kind=leftouter (EmailDomains) on SenderFromDomain
  | where SenderFromDomain1 == ""
  | distinct Pair, NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`EmailEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Hunting/Hunt for email conversation take over attempts.yaml)

False Positive Guidance

Scenario: A system administrator is using Microsoft Exchange Online to send a bulk email campaign using PowerShell cmdlets like Send-MailMessage.
Filter/Exclusion: Exclude emails sent from admin accounts with UserPrincipalName containing admin, service, or support.
Scenario: A scheduled job in Microsoft Outlook (via Outlook Automation or VBA scripts) is configured to send automated reports to internal stakeholders.
Filter/Exclusion: Exclude emails sent from the Outlook application or from accounts with @company.com and JobID in the subject line.
Scenario: A system administrator is using Microsoft Teams to send a meeting reminder to a large group of users.
Filter/Exclusion: Exclude emails sent from the teams@company.com domain or with Meeting Reminder in the subject line.
Scenario: A devops engineer is using Azure DevOps to trigger a deployment pipeline that sends an email notification to the team.
Filter/Exclusion: Exclude emails sent from the azure-devops@company.com domain or with Deployment Notification in the subject line.
Scenario: A help desk technician is using ServiceNow to send an email to a user about a password reset request.
Filter/Exclusion: Exclude emails sent from the service-now@company.com domain or with Password Reset in the subject line.