Adversaries may use phishing emails to compromise user credentials, and quarantining these emails indicates potential phishing activity that could lead to account takeovers. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate phishing threats before they result in data breaches or lateral movement.
KQL Query
EmailEvents
| where EmailDirection == "Inbound" and DetectionMethods has 'Phish' and DeliveryLocation == "Quarantine"
| project DT=parse_json(DetectionMethods)| evaluate bag_unpack(DT)| summarize count() by Phish=tostring(column_ifexists('Phish', ''))
| render piechart
id: 5caf3813-c628-48e2-be65-71b95be7ff85
name: Quarantine Phish Reason
description: |
This query visualises the total amount of phish emails that are quarantined, summarized by the detection method
description-detailed: |
This query visualises the total amount of phish emails that are quarantined, summarized by the detection method
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where EmailDirection == "Inbound" and DetectionMethods has 'Phish' and DeliveryLocation == "Quarantine"
| project DT=parse_json(DetectionMethods)| evaluate bag_unpack(DT)| summarize count() by Phish=tostring(column_ifexists('Phish', ''))
| render piechart
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled email archiving job moves quarantined emails to archive storage
Filter/Exclusion: Exclude emails moved by the Microsoft Exchange Archiving Job or Microsoft 365 Data Archiving tool using the message-header: X-MS-Exchange-Organization-Message-Id or subject: Archive keyword.
Scenario: System administrator manually quarantines a legitimate email for review
Filter/Exclusion: Exclude emails quarantined by Exchange Online Protection (EOP) admin using the sender: admin@domain.com or subject: Quarantine Review Request filter.
Scenario: Automated email cleanup tool moves old emails from quarantine to a retention folder
Filter/Exclusion: Exclude emails moved by Microsoft Purge or Retention Policy using the message-header: X-MS-Exchange-Organization-Message-Id or subject: Retention Move keyword.
Scenario: Email security gateway quarantines a legitimate email due to a false positive in content filtering
Filter/Exclusion: Exclude emails flagged by Cisco Secure Email Gateway (SEG) with the header: X-Cisco-SG-Quarantine-Reason: FalsePositive or subject: False Positive Alert filter.
Scenario: Email encryption tool temporarily quarantines emails during encryption process
Filter/Exclusion: Exclude emails quarantined by Symantec Endpoint Encryption (SEP) using the header: X-Symantec-Quarantine-Reason: EncryptionPending or subject: Encryption in Progress filter.