Adversaries may be using impersonation tactics to mimic trusted entities within an organization, leveraging detection technologies to bypass traditional email security measures. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential business email compromise (BEC) attacks before they lead to data exfiltration or financial loss.
KQL Query
EmailEvents
| where DetectionMethods has 'Impersonation'
| project Timestamp, DT=parse_json(DetectionMethods)
| evaluate bag_unpack(DT)
| summarize count() by Phish=tostring(column_ifexists('Phish', ''))
| sort by count_ desc
| render piechart
id: 7017c313-c778-4a23-a15a-9e2f277b216e
name: Impersonation Detections by Detection Technology
description: |
This query visualises total emails with Phish (BEC) Impersonation detections by Detection Technology
description-detailed: |
This query visualises total emails with Phish Business Email Compromise (BEC) Impersonation detections by various Impersonation Detection technologies/controls in Microsoft Defender for Office 365.
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where DetectionMethods has 'Impersonation'
| project Timestamp, DT=parse_json(DetectionMethods)
| evaluate bag_unpack(DT)
| summarize count() by Phish=tostring(column_ifexists('Phish', ''))
| sort by count_ desc
| render piechart
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Job Sending Emails
Description: A scheduled job (e.g., cron job, Task Scheduler task, or PowerShell script) runs daily and sends automated emails to users for system updates or notifications.
Filter/Exclusion: Check the sender field against known system email addresses or use a filter like sender NOT IN ('sysadmin@company.com', 'noreply@company.com').
Scenario: Admin Task with Phish-Related Subject Line
Description: An administrator sends a test email to the team with a subject line like “Test: Phishing Simulation” as part of a security training exercise.
Filter/Exclusion: Use a filter like subject NOT LIKE '%Phishing%' OR subject NOT LIKE '%Test%' or exclude emails sent from admin email addresses.
Scenario: Email from a Third-Party Service Provider
Description: A legitimate email is sent from a third-party service (e.g., support@cloudprovider.com) that mimics internal communication due to shared branding.
Filter/Exclusion: Exclude emails from known third-party domains using a filter like domain NOT IN ('cloudprovider.com', 'serviceprovider.com').
Scenario: User-Initiated Email with Impersonation-Like Subject
Description: A user sends an email with a subject like “Urgent: Payment Required” to a colleague, which may trigger the rule due to the phrasing.
Filter/Exclusion: Filter by sender_email IN ('trusted_user@company.com') or use a keyword exclusion like subject NOT LIKE '%Urgent%'.
Scenario: Internal Email with Phish-Like Content
Description: An internal email is sent with a subject or body that resembles phishing content (e.g., “Your account will be suspended