Adversaries may be using phishing emails delivered from specific geographic locations to target users within an organization. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing campaigns and mitigate associated risks.
KQL Query
EmailEvents
| where OrgLevelPolicy != "Phishing simulation" and OrgLevelPolicy != "SecOps Mailbox"
| where ConfidenceLevel has_any ('Phish":"High')
| summarize count() by LatestDeliveryLocation
| sort by count_ desc
| render piechart
id: 1617b8b1-df75-4b28-8379-29930c0f46fc
name: Phish Detections (High) by delivery location
description: |
This query visualises emails with Phish detections (High confidence) summarizing the data by Delivery Location.
description-detailed: |
This query visualises emails with Phish detections (High confidence) summarizing the data by Delivery Location.
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where OrgLevelPolicy != "Phishing simulation" and OrgLevelPolicy != "SecOps Mailbox"
| where ConfidenceLevel has_any ('Phish":"High')
| summarize count() by LatestDeliveryLocation
| sort by count_ desc
| render piechart
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Internal System Health Check Emails
Description: Automated system health check emails sent from internal tools like Microsoft Intune or ServiceNow may be flagged due to their origin from internal IP ranges.
Filter/Exclusion: Exclude emails sent by known internal tools using the sender field or add internal IP ranges to the delivery_location exclusion list.
Scenario: Scheduled Job Notifications from SIEM Tools
Description: Emails sent by Splunk or IBM QRadar as part of scheduled job notifications (e.g., alert summaries or report distributions) may be flagged as phishing due to their delivery location.
Filter/Exclusion: Use the subject or body field to filter emails containing keywords like “scheduled job” or “report summary”.
Scenario: Admin Task Notifications from Cloud Platforms
Description: Emails sent by AWS CloudTrail or Azure Activity Log to notify administrators about resource changes or security events may be flagged as phishing.
Filter/Exclusion: Exclude emails sent to admin email addresses or use the sender field to filter emails from known cloud provider domains.
Scenario: Internal Collaboration Tool Updates
Description: Emails from internal collaboration tools like Microsoft Teams or Slack (via email notifications) may be flagged due to their delivery location.
Filter/Exclusion: Exclude emails with specific headers or use the subject field to identify updates from collaboration tools.
Scenario: Automated Patch Management Notifications
Description: Emails sent by Microsoft Endpoint Manager or SolarWinds Patch Manager to notify users about system updates may be flagged as phishing.
Filter/Exclusion: Exclude emails sent to user groups with specific roles (e.g., user_role = "IT_Admin") or use the subject field to identify patch