Adversaries may be leveraging user-reported malicious emails to initiate phishing campaigns and exfiltrate data through compromised user accounts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential credential theft and data leakage early in the attack lifecycle.
KQL Query
let suspiciousClusters = EmailEvents
| where Timestamp > ago(7d)
| where EmailDirection == "Inbound"
| where NetworkMessageId in ("5ff15b1f-d731-4625-4c1c-08dc8615943f","00ff0916-1263-428c-a558-08dc86a6d3cd") //<List of suspicious Network Message Ids from Alerts>
| distinct EmailClusterId;
EmailEvents
| where Timestamp > ago(7d)
| where EmailDirection == "Inbound"
| where EmailClusterId in (suspiciousClusters)
| summarize make_set(Subject), make_set(SenderFromDomain), dcount(RecipientObjectId),dcount(SenderDisplayName) by EmailClusterId
id: 8c852f12-499f-499b-afc1-25c50aa9b462
name: Hunting for user signals-clusters
description: |
In this detection,we use Email reported by user as malware or phish MDO alert as a starting point to identify the scope of a campaign.
description-detailed: |
In this detection,we use Email reported by user as malware or phish MDO alert as a starting point to identify the scope of a campaign. We use Emails with similar content are clustered by MDO together and the cluster ID is populated in the EmailClusterId field in EmailEvents table using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let suspiciousClusters = EmailEvents
| where Timestamp > ago(7d)
| where EmailDirection == "Inbound"
| where NetworkMessageId in ("5ff15b1f-d731-4625-4c1c-08dc8615943f","00ff0916-1263-428c-a558-08dc86a6d3cd") //<List of suspicious Network Message Ids from Alerts>
| distinct EmailClusterId;
EmailEvents
| where Timestamp > ago(7d)
| where EmailDirection == "Inbound"
| where EmailClusterId in (suspiciousClusters)
| summarize make_set(Subject), make_set(SenderFromDomain), dcount(RecipientObjectId),dcount(SenderDisplayName) by EmailClusterId
version: 1.0.0 | Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: A user reports a legitimate email from a partner company as phishing, but it was a genuine email with a typo in the sender’s address.
Filter/Exclusion: Exclude emails where the sender’s domain is verified via SPF, DKIM, or DMARC checks, or where the email is from a known trusted partner.
Scenario: A system administrator sends a test email to a group of users to validate email configurations, and the email is flagged as malware.
Filter/Exclusion: Exclude emails sent from admin accounts with specific roles (e.g., admin@domain.com) or emails that match known test email patterns (e.g., “Test email configuration”).
Scenario: A scheduled job runs a script that sends a notification email to the security team, which is mistakenly flagged as malware.
Filter/Exclusion: Exclude emails sent from known automation accounts (e.g., scheduler@domain.com) or emails with specific subject lines (e.g., “Scheduled Job Notification”).
Scenario: A user receives a legitimate email from a service provider (e.g., Microsoft 365) that includes a link to a support page, which is mistakenly reported as phishing.
Filter/Exclusion: Exclude emails from known service providers (e.g., support@outlook.com) or emails that match known legitimate support email patterns.
Scenario: A user receives a phishing email that mimics a legitimate internal email, but the user mistakenly reports it as malware.
Filter/Exclusion: Exclude emails where the sender’s email address is not in the company’s directory or where the email is from an external domain not in the company’s trusted list.