Post Delivery Events by Admin

Hunt Hypothesis

Adversaries may leverage post delivery admin actions to exfiltrate data or maintain persistence within an organization’s email infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential abuse of administrative privileges and detect covert exfiltration attempts.

KQL Query

let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
let baseQuery = EmailPostDeliveryEvents
| where Timestamp >= TimeStart
| where ActionTrigger has "AdminAction";
let sdelete=baseQuery
| where Action has 'Soft Delete'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Soft Delete";
let hdelete=baseQuery
| where Action has 'Hard Delete'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Hard Delete";
let mtojunk=baseQuery
| where Action has 'Moved to junk folder'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Moved to junk folder";
let mtoinbox=baseQuery
| where Action has 'Moved to inbox'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Moved to inbox";
let qrel=baseQuery
| where Action has 'Quarantine release'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Quarantine release";
union sdelete,hdelete,mtojunk,mtoinbox,qrel
| project Count, Details, Timestamp
| render timechart

Analytic Rule Definition

id: ee4dc300-5eaa-4cc5-b455-e53cb427e215
name: Post Delivery Events by Admin
description: |
  This query visualises the daily amount of emails that had an admin post delivery action, summarizing the data by action type
description-detailed: |
  This query visualises the daily amount of emails that had an admin post delivery action, summarizing the data by action type
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailPostDeliveryEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  let TimeStart = startofday(ago(30d));
  let TimeEnd = startofday(now());
  let baseQuery = EmailPostDeliveryEvents
  | where Timestamp >= TimeStart
  | where ActionTrigger has "AdminAction";
  let sdelete=baseQuery
  | where Action has 'Soft Delete'
  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
  | extend Details = "Soft Delete";
  let hdelete=baseQuery
  | where Action has 'Hard Delete'
  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
  | extend Details = "Hard Delete";
  let mtojunk=baseQuery
  | where Action has 'Moved to junk folder'
  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
  | extend Details = "Moved to junk folder";
  let mtoinbox=baseQuery
  | where Action has 'Moved to inbox'
  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
  | extend Details = "Moved to inbox";
  let qrel=baseQuery
  | where Action has 'Quarantine release'
  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
  | extend Details = "Quarantine release";
  union sdelete,hdelete,mtojunk,mtoinbox,qrel
  | project Count, Details, Timestamp
  | render timechart
version: 1.0.0

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/ZAP/Post Delivery Events by Admin.yaml)

False Positive Guidance

• Scenario: Scheduled Email Archiving Job
  Description: A scheduled job runs daily to archive old emails, which triggers post-delivery admin actions such as moving messages to an archive folder.
  Filter/Exclusion: Exclude events where the action is related to archiving (e.g., action_type = "move_to_archive" or tool = "EmailArchiver").

• Scenario: Daily Email Backup Process
  Description: An automated backup process runs nightly to back up all emails, which may involve post-delivery actions like copying or exporting messages.
  Filter/Exclusion: Exclude events where the source is a backup tool (e.g., tool = "EmailBackupTool" or action_type = "copy_to_backup").

• Scenario: Admin User Performing Bulk Email Deletion
  Description: An admin user manually deletes a large number of emails in a single action, which may be flagged as post-delivery admin activity.
  Filter/Exclusion: Exclude events where the user is an admin and the action is deletion (e.g., user_role = "admin" AND action_type = "delete").

• Scenario: Email Retention Policy Enforcement
  Description: A system automatically enforces email retention policies, moving or deleting emails based on predefined rules, which can trigger post-delivery actions.
  Filter/Exclusion: Exclude events where the action is related to retention policies (e.g., policy_id = "retention-policy-001" or action_type = "delete_by_policy").

• Scenario: Email Forwarding Rule Triggered by External Source
  Description: An email forwarding rule is triggered by an external system, resulting in post-delivery actions such as forwarding or redirecting emails.
  Filter/Exclusion: Exclude events where the source is an external system or automated forwarding rule (e.g.,