Adversaries may be using phishing emails to bypass security controls, leveraging detection technology to evade traditional email filtering methods. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential phishing campaigns before they lead to data exfiltration or account compromise.
KQL Query
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
let baseQuery = EmailEvents
| where Timestamp >= TimeStart
//| where OrgLevelPolicy != "Phishing simulation" and OrgLevelPolicy != "SecOps Mailbox"
| where DetectionMethods has "Phish";
let ml=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'Advanced filter'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Advanced filter";
let camp=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'Campaign'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Campaign";
let fd=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'File detonation' and Phish !has 'File detonation reputation'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "File detonation";
let fdr=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'File detonation reputation'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "File detonation reputation";
let frp=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'Fingerprint matching'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Fingerprint matching";
let gf=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'General filter'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "General filter";
let bimp=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'Impersonation brand'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Impersonation brand";
let dimp=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'Impersonation domain'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Impersonation domain";
let uimp=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'Impersonation user'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Impersonation user";
let mimp=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'Mailbox intelligence impersonation'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Mailbox intelligence impersonation";
let sdmarc=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'Spoof DMARC'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Spoof DMARC";
let spoofe=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'Spoof external domain'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Spoof external domain";
let spoofi=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'Spoof intra-org'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Spoof intra-org";
let ud=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'URL detonation' and Phish !has 'URL detonation reputation'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "URL detonation";
let udr=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'URL detonation reputation'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "URL detonation reputation";
let umr=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'URL malicious reputation'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "URL malicious reputation";
union ml,camp,fd,fdr,frp,gf,bimp,dimp,uimp,mimp,sdmarc,spoofe,spoofi,ud,udr,umr
| project Count, Details, Timestamp
| render timechart
id: 7319bdef-2040-48dc-9b20-b3f138fee71c
name: Phish Detections by Detection technology Trend
description: |
This query visualises total emails with Phish detections over time summarizing the data daily by various Phish Detection technologies/controls
description-detailed: |
This query visualises total emails with Phish detections over time summarizing the data daily by various Phish Detection technologies/controls in Microsoft Defender for Office 365.
The comment in the query excludes deliveries to the SecOps Mailbox and by the Phish Simulation system. Remove the "//" to apply the exclusion.
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
let baseQuery = EmailEvents
| where Timestamp >= TimeStart
//| where OrgLevelPolicy != "Phishing simulation" and OrgLevelPolicy != "SecOps Mailbox"
| where DetectionMethods has "Phish";
let ml=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'Advanced filter'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Advanced filter";
let camp=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'Campaign'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Campaign";
let fd=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'File detonation' and Phish !has 'File detonation reputation'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "File detonation";
let fdr=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'File detonation reputation'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "File detonation reputation";
let frp=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Phish has 'Fingerprint matching'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Fingerprint matching";
let gf=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(Detectio| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Legitimate email encryption tool usage
Description: Employees use email encryption tools like S/MIME or Microsoft InfoPath to send encrypted emails, which may be flagged as phishing due to the presence of encrypted attachments or secure links.
Filter/Exclusion: Exclude emails where the sender is a known internal encryption admin or where the email contains a valid S/MIME certificate.
Scenario: Scheduled system maintenance jobs
Description: Automated system maintenance jobs (e.g., Ansible, PowerShell scripts, or Chef) may send emails with subject lines containing “Phish” or similar keywords, triggering the detection rule.
Filter/Exclusion: Exclude emails sent from system accounts or with a “X-System-Generated” header, or filter by sender IP address associated with internal infrastructure.
Scenario: Internal security awareness training emails
Description: Emails sent by the security team to educate employees about phishing (e.g., KnowBe4 or PhishMe) may include simulated phishing links or subject lines that match the detection rule.
Filter/Exclusion: Exclude emails from the security team’s internal distribution list or filter by sender email address associated with the security training platform.
Scenario: Admin task notifications from third-party tools
Description: Notifications from third-party tools like Microsoft Defender for Office 365, CrowdStrike, or Palo Alto Networks may include alerts or reports that contain the word “Phish” in the subject or body.
Filter/Exclusion: Exclude emails from known admin tools or filter by sender domain (e.g., admin.microsoft.com, crowdstrike.com).
Scenario: Internal audit or compliance reports
Description: Internal audit teams may send reports or alerts related to phishing incidents, which could be flagged by the rule due to the presence of the word