Malicious email senders | SOC Hunt Feed

Hunt Hypothesis

Adversaries may use compromised email accounts to send malicious emails, which are often flagged and quarantined by email security systems. SOC teams should proactively hunt for such activity in Azure Sentinel to identify potential spear-phishing or credential compromise campaigns early.

KQL Query

let SenderWithQuarantine = EmailEvents
| where LatestDeliveryLocation == "Quarantine"
| project SenderFromAddress;
EmailEvents
| where LatestDeliveryLocation == "Inbox/folder"
| where SenderFromAddress in (SenderWithQuarantine)

Analytic Rule Definition

id: 63c799bc-7567-4e4d-97be-e143fcfaa333
name: Malicious email senders
description: |
  This query helps hunting for emails from a sender with at least one email in quarantine
description-detailed: |
  This query helps hunting for emails from a sender with at least one email detected with a threat and sent into quarantine
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  let SenderWithQuarantine = EmailEvents
  | where LatestDeliveryLocation == "Quarantine"
  | project SenderFromAddress;
  EmailEvents
  | where LatestDeliveryLocation == "Inbox/folder"
  | where SenderFromAddress in (SenderWithQuarantine)
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`EmailEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/General/Malicious email senders.yaml)

False Positive Guidance

Scenario: Systematic email reporting by the email security gateway
Description: The email security gateway (e.g., Microsoft Defender for Office 365, Cisco Secure Email Gateway) automatically quarantines and reports emails from known malicious domains as part of routine threat intelligence updates.
Filter/Exclusion: Exclude emails from known security tool domains (e.g., quarantine.office365.com, cisco.com, symantec.com) using a sender_ip or sender_domain filter in the SIEM.
Scenario: Legitimate scheduled email jobs (e.g., backup reports, system alerts)
Description: Automated jobs like nightly backups, system health checks, or alert notifications (e.g., from Splunk, Datadog, or Nagios) may send emails that get flagged and quarantined due to suspicious sender patterns.
Filter/Exclusion: Use a message_subject filter to exclude emails containing keywords like “backup”, “report”, “alert”, or “system health”. Also, include a sender_email filter for known internal automation tools (e.g., backup@company.com, alert@ops.company.com).
Scenario: Email from internal admin tools (e.g., Microsoft Exchange Online Protection)
Description: Emails sent by internal admin tools (e.g., Microsoft Exchange Online Protection, or third-party email filtering tools) may be quarantined if they are flagged as suspicious due to their origin.
Filter/Exclusion: Exclude emails sent from internal admin email addresses (e.g., admin@company.com, security@company.com) using a sender_email filter. Also, check the message_header for internal IP ranges or known admin domains.
Scenario: Email from third-party service providers (e.g., Salesforce, ServiceNow)
Description: Emails sent by third-party