Adversaries may be using specific delivery locations to target victims and exfiltrate data through phishing emails. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing campaigns and mitigate lateral movement risks.
KQL Query
EmailEvents
//| where OrgLevelPolicy != "Phishing simulation" and OrgLevelPolicy != "SecOps Mailbox"
| where DetectionMethods has "Phish" and EmailDirection == "Inbound"
| make-series TotalPhishDetections=count(),Quarantine = countif(DeliveryLocation == "Quarantine"),Junkfolder=countif(DeliveryLocation == "Junk folder") ,Inbox=countif(DeliveryLocation == "Inbox/folder"),Failed=countif(DeliveryLocation == "Failed"),Dropped=countif(DeliveryLocation == "Dropped") default = 0 on Timestamp step 1d
| render timechart
id: fbe8abde-83b3-4e16-af08-f8f7db9a9028
name: Phish Detections by delivery location trend
description: |
This query visualises total emails with Phish detections over time summarizing the data daily by Delivery Location.
description-detailed: |
This query visualises total emails with Phish detections over time summarizing the data daily by Delivery Location.
The comment in the query excludes deliveries to the SecOps Mailboxes and by the Phish Simulation system. Remove the "//" to apply the exclusion.
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
//| where OrgLevelPolicy != "Phishing simulation" and OrgLevelPolicy != "SecOps Mailbox"
| where DetectionMethods has "Phish" and EmailDirection == "Inbound"
| make-series TotalPhishDetections=count(),Quarantine = countif(DeliveryLocation == "Quarantine"),Junkfolder=countif(DeliveryLocation == "Junk folder") ,Inbox=countif(DeliveryLocation == "Inbox/folder"),Failed=countif(DeliveryLocation == "Failed"),Dropped=countif(DeliveryLocation == "Dropped") default = 0 on Timestamp step 1d
| render timechart
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Daily System Maintenance Reports Sent from Internal Server
Description: A scheduled job runs daily to generate system maintenance reports, which are sent from an internal server to a few admin email addresses. These emails are flagged as phishing due to the sender’s IP location.
Filter/Exclusion: Exclude emails sent from internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or emails sent by known internal reporting tools like Splunk or SolarWinds.
Scenario: Automated Email Notifications from Cloud Security Tools
Description: A cloud security tool like CrowdStrike or Microsoft Defender for Cloud sends automated email notifications to the security team about detected threats. These emails are flagged due to the sender’s location.
Filter/Exclusion: Exclude emails originating from known cloud security tool domains or IP ranges associated with those tools.
Scenario: Scheduled Job for Email Archiving Using a Third-Party Service
Description: A scheduled job runs to archive emails using a third-party service like Microsoft Exchange Online Archiving or Google Workspace Vault, which sends confirmation emails to the admin. These emails are flagged as phishing.
Filter/Exclusion: Exclude emails sent from known archiving service domains or IPs, or filter by email subject containing keywords like “archive confirmation” or “backup notification.”
Scenario: Internal Training Emails Sent by the Security Team
Description: The security team sends internal phishing training emails to employees using an internal email server. These emails are flagged due to the sender’s location.
Filter/Exclusion: Exclude emails sent from internal email servers or filter by sender email addresses in the security team’s domain.
**Scenario: Email Notifications