Adversaries may be using phishing emails to deliver malicious payloads, leveraging Azure Sentinel’s email detection capabilities to exfiltrate data or establish initial access. SOC teams should proactively hunt for this behavior to identify and mitigate potential compromise early in the attack lifecycle.
KQL Query
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
EmailEvents
| where Timestamp >= TimeStart
//| where OrgLevelPolicy != "Phishing simulation" and OrgLevelPolicy != "SecOps Mailbox"
| where ThreatTypes has "Phish"
| make-series PhishDetections = count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| render timechart
id: 1b6a8564-bfe2-40f7-873a-7713f7b0c1d0
name: Phish Detections Trend
description: |
This query visualises total emails with Phish detections over time summarizing the data daily.
description-detailed: |
This query visualises total emails with Phish detections over time summarizing the data daily.
The comment in the query excludes deliveries to the SecOps Mailbox and by the Phish Simulation system. Remove the "//" to apply the exclusion.
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
EmailEvents
| where Timestamp >= TimeStart
//| where OrgLevelPolicy != "Phishing simulation" and OrgLevelPolicy != "SecOps Mailbox"
| where ThreatTypes has "Phish"
| make-series PhishDetections = count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| render timechart
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled Email Backup Job
Description: A legitimate scheduled job runs daily to send backup reports via email, which may include attachments or links that trigger the phish detection rule.
Filter/Exclusion: Exclude emails sent by the backup system (e.g., sender = "backup@yourdomain.com" or subject contains "Backup Report").
Scenario: Admin Password Reset Notifications
Description: System administrators receive automated password reset emails from the identity management tool (e.g., Okta, Azure AD), which may be flagged due to the presence of links or attachments.
Filter/Exclusion: Exclude emails from known admin services (e.g., sender = "admin@yourdomain.com" or subject contains "Password Reset").
Scenario: Daily System Health Reports
Description: A monitoring tool (e.g., Datadog, Splunk, or Nagios) sends daily health reports via email, which may include embedded links or scripts that trigger the phish detection.
Filter/Exclusion: Exclude emails from the monitoring system (e.g., sender = "monitoring@yourdomain.com" or subject contains "System Health").
Scenario: User-Generated Email with Embedded Links
Description: Employees may send emails with internal links (e.g., to internal SharePoint or Teams) for collaboration, which can be flagged as potential phishing attempts.
Filter/Exclusion: Exclude emails from internal users (e.g., sender domain is yourdomain.com or sender contains "internal").
Scenario: Automated Testing Emails from DevOps Tools
Description: DevOps tools like Jenkins or GitLab may send test emails with links or payloads that trigger the phish detection rule during CI/CD pipeline testing.
Filter/Exclusion: Exclude emails from DevOps tools (e.g.,