Adversaries may establish persistent communication channels between compromised hosts and command-and-control servers by creating or modifying sender-recipient contact configurations. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential C2 infrastructure and disrupt ongoing malicious activities.
KQL Query
let emailDelivered = EmailEvents
| where Timestamp < ago(30d)
and DeliveryAction == "Delivered"
and SenderDisplayName contains "Microsoft"
| summarize count() by SenderFromAddress
| where count_ > 3 // ensuring that some level of communications has occured.
| project SenderFromAddress;
EmailEvents
| where Timestamp > ago(24hrs)
| where DeliveryAction == "Delivered"
and EmailDirection == "Inbound"
and OrgLevelAction != "Block"
and UserLevelAction != "Block"
and SenderDisplayName contains "Microsoft" //Change the name here
| extend NewMsg = case(Subject contains "RE:", false, Subject contains "FW:", false, true )
| project SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
| join kind=leftanti ( emailDelivered ) on SenderFromAddress
| order by SenderMailFromAddress
| summarize count() by SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
id: b2beec6a-2c1c-4319-a191-e70c2ee42857
name: Sender recipient contact establishment
description: |
This query helps in checking the sender-recipient contact establishment status
description-detailed: |
This query helps in checking the sender-recipient contact establishment status using Defender for Office 365 data
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let emailDelivered = EmailEvents
| where Timestamp < ago(30d)
and DeliveryAction == "Delivered"
and SenderDisplayName contains "Microsoft"
| summarize count() by SenderFromAddress
| where count_ > 3 // ensuring that some level of communications has occured.
| project SenderFromAddress;
EmailEvents
| where Timestamp > ago(24hrs)
| where DeliveryAction == "Delivered"
and EmailDirection == "Inbound"
and OrgLevelAction != "Block"
and UserLevelAction != "Block"
and SenderDisplayName contains "Microsoft" //Change the name here
| extend NewMsg = case(Subject contains "RE:", false, Subject contains "FW:", false, true )
| project SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
| join kind=leftanti ( emailDelivered ) on SenderFromAddress
| order by SenderMailFromAddress
| summarize count() by SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: System administrator uses PowerShell to send a test email via Send-MailMessage to verify email server connectivity.
Filter/Exclusion: Exclude events where the source process is powershell.exe and the command line contains Send-MailMessage or Test-Email.
Scenario: A scheduled job runs a script to notify the team via email about system maintenance using a tool like blat or mailutil.
Filter/Exclusion: Exclude events where the source process is a known job scheduler (e.g., schtasks.exe, cron), and the email is sent to a predefined admin group or monitoring address.
Scenario: A user manually sends an email from their desktop using Microsoft Outlook to a colleague.
Filter/Exclusion: Exclude events where the source process is outlook.exe and the recipient is a known internal user or within the same domain.
Scenario: A DevOps pipeline uses curl or wget to send a notification email via an SMTP relay during a deployment.
Filter/Exclusion: Exclude events where the source process is curl or wget and the email is sent to a predefined alert or monitoring address.
Scenario: A security tool like CrowdStrike or Microsoft Defender for Endpoint sends an email alert to the SOC team about a potential threat.
Filter/Exclusion: Exclude events where the source process is a known security tool (e.g., CrowdStrikeAgent.exe, MsDefender.exe) and the recipient is a SOC team email address.