Adversaries are using impersonation tactics to mimic trusted entities in emails, leveraging detection technologies to evade traditional security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and disrupt BEC attacks before they cause financial or reputational damage.
KQL Query
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
let baseQuery = EmailEvents
| where DetectionMethods has "Phish";
let bimp=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'Impersonation brand'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Impersonation brand";
let dimp=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'Impersonation domain'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Impersonation domain";
let uimp=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'Impersonation user'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Impersonation user";
let mimp=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'Mailbox intelligence impersonation'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Mailbox intelligence impersonation";
union bimp,dimp,uimp,mimp
| project Count, Details, Timestamp
| render timechart
id: b0fb6dca-bd73-4852-8670-3235e56ffe4d
name: Impersonation Detections by Detection Technology Trend
description: |
This query visualises total emails with Phish (BEC) Impersonation detections by Detection Technology over time
description-detailed: |
This query visualises total emails with Phish Business Email Compromise (BEC) Impersonation detections over time summarizing the data daily by various Impersonation Detection technologies/controls in Microsoft Defender for Office 365.
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
let baseQuery = EmailEvents
| where DetectionMethods has "Phish";
let bimp=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'Impersonation brand'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Impersonation brand";
let dimp=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'Impersonation domain'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Impersonation domain";
let uimp=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'Impersonation user'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Impersonation user";
let mimp=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'Mailbox intelligence impersonation'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Mailbox intelligence impersonation";
union bimp,dimp,uimp,mimp
| project Count, Details, Timestamp
| render timechart
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: A system administrator uses Microsoft Exchange Online Protection (EOP) to send a test phishing email to validate detection rules.
Filter/Exclusion: Exclude emails where the sender is a known admin account (e.g., admin@domain.com) or where the email is flagged as a test email (e.g., test-phishing@domain.com).
Scenario: A scheduled job runs daily to send a report via email to a distribution list using Microsoft Outlook. The email is flagged as impersonation due to the sender’s domain being used in a legitimate outbound email.
Filter/Exclusion: Exclude emails sent from a known scheduled job sender (e.g., scheduler@domain.com) or where the email is part of a known automation process.
Scenario: An endpoint detection and response (EDR) tool like CrowdStrike Falcon generates a false positive alert when a legitimate user runs a script that mimics a phishing email during a security training exercise.
Filter/Exclusion: Exclude alerts where the process is associated with a known security training tool (e.g., training@domain.com or phishsim@domain.com).
Scenario: A third-party service like Google Workspace sends an automated email to a user account, which is misclassified as impersonation due to the sender’s domain being similar to the user’s domain.
Filter/Exclusion: Exclude emails from known third-party services (e.g., notifications@google.com or support@google.com) or where the sender is a verified service account.
Scenario: A system update or patching tool like Microsoft Intune sends an email notification to users about a critical update, which is flagged as impersonation due to the sender’s domain being used in a phishing attack.
Filter/Exclusion: Exclude emails sent