Adversaries may use compromised sender IPs to distribute malware or phishing emails, leveraging trusted infrastructure to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential email-based attacks before they cause widespread damage.
KQL Query
EmailEvents
| where Timestamp > ago(30d)
| where ThreatTypes has "Phish" or ThreatTypes has "Malware"
| summarize count() by SenderIPv4 //SenderIPv6
| sort by count_
id: a8ccbf35-4c6d-4a8f-8c42-04fd9b000a27
name: Malicious mails by sender IPs
description: |
This query helps reviewing sender IPs sending malicious email of type Malware or Phish
description-detailed: |
This query helps reviewing sender IPs sending malicious email of type Malware or Phish using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| where ThreatTypes has "Phish" or ThreatTypes has "Malware"
| summarize count() by SenderIPv4 //SenderIPv6
| sort by count_
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Legitimate email relay through a third-party email service provider
Description: A legitimate email sender (e.g., Google Workspace or Microsoft 365) relays emails through their own infrastructure, which may be flagged due to the sender IP being associated with known malicious activity.
Filter/Exclusion: Exclude sender IPs that are known to belong to major email service providers (e.g., 142.250.179.174 for Google, 4.2.2.1 for Microsoft). Use a static list of trusted email relay IPs or integrate with the email provider’s API to validate sender authenticity.
Scenario: Scheduled system maintenance or backup jobs sending notifications
Description: Automated system maintenance or backup jobs (e.g., using cron or Task Scheduler) may send emails to administrators, which could be flagged as suspicious due to the sender IP.
Filter/Exclusion: Exclude emails sent from known internal IP ranges (e.g., 192.168.0.0/16, 10.0.0.0/8) or use a custom field like X-MS-Exchange-Organization-Message-Id to identify internal system-generated emails.
Scenario: Internal user sending emails to external partners
Description: An internal user sends a legitimate email to an external partner or client, which may be flagged due to the sender IP being associated with a known malicious IP range.
Filter/Exclusion: Exclude emails where the sender is an internal user (e.g., using the From header with a domain like @company.com) or use a custom field like X-Forwarded-For to identify the actual internal sender IP.
Scenario: Email sent by a legitimate third-party application (e.g., ServiceNow, Jira)