Phish Detections (Normal) by delivery location

Hunt Hypothesis

Adversaries may use phishing emails delivered from specific geographic locations to bypass traditional email security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing campaigns that evade standard detection mechanisms.

KQL Query

EmailEvents
| where OrgLevelPolicy != "Phishing simulation" and OrgLevelPolicy != "SecOps Mailbox"
| where ConfidenceLevel has_any ('Phish":"Normal')
| summarize count() by LatestDeliveryLocation
| sort by count_ desc
| render piechart

Analytic Rule Definition

id: bfdb25dd-1cc0-46da-9545-9aa92d53e2c8
name: Phish Detections (Normal) by delivery location
description: |
  This query visualises emails with Phish detections (Normal confidence) summarizing the data by Delivery Location.
description-detailed: |
  This query visualises emails with Phish detections (Normal confidence) summarizing the data by Delivery Location which are subject to User/Admin overrides and Policy actions.
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  EmailEvents
  | where OrgLevelPolicy != "Phishing simulation" and OrgLevelPolicy != "SecOps Mailbox"
  | where ConfidenceLevel has_any ('Phish":"Normal')
  | summarize count() by LatestDeliveryLocation
  | sort by count_ desc
  | render piechart
version: 1.0.0

Required Data Sources

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Phish/Phish Detections by Delivery Location - Medium.yaml)

False Positive Guidance

• Scenario: Scheduled Job Sending Test Emails
  Description: A scheduled job (e.g., AWS SES, Microsoft Exchange Online, or third-party email automation tool) sends test emails to internal users for system validation.
  Filter/Exclusion: Exclude emails sent by known test or scheduled job sources (e.g., sender = "test-sender@company.com" or subject LIKE '%Test Email%').

• Scenario: Internal System Notification Emails
  Description: Internal systems (e.g., Jira, ServiceNow, or Slack) send automated notifications to users about task updates or alerts.
  Filter/Exclusion: Exclude emails from internal notification services (e.g., sender = "jira@company.com" or subject LIKE '%Jira Alert%').

• Scenario: Admin Task Email Notifications
  Description: System administrators send emails to users for administrative tasks (e.g., password resets, account lockouts, or access approvals).
  Filter/Exclusion: Exclude emails from admin tools (e.g., sender = "admin@company.com" or subject LIKE '%Password Reset%').

• Scenario: Email Marketing Campaigns
  Description: Marketing teams send bulk emails (e.g., using Mailchimp, HubSpot, or Salesforce Marketing Cloud) to internal or external users.
  Filter/Exclusion: Exclude emails from marketing domains or campaigns (e.g., sender LIKE '%marketing@%' or subject LIKE '%Campaign%').

• Scenario: Email Forwarding from Internal Users
  Description: Users forward legitimate emails (e.g., from internal support teams or HR) to other users, which may be flagged as phishing due to the forwarding chain.
  Filter/Exclusion: Exclude emails that are forwarded from known internal users (e.g., forwarded_from = "internal-user@company.com" or