User overrides of email filtering settings may allow malicious emails to bypass security controls and reach inboxes, indicating potential phishing or spam activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate threats that bypass standard email security measures.
KQL Query
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
let baseQuery = EmailEvents
| where Timestamp >= TimeStart
| where ConfidenceLevel != "" and UserLevelPolicy!="" and UserLevelAction == "Allow" and DeliveryAction == "Delivered";
let spam=baseQuery
| where ThreatTypes has 'Spam'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Allowed Spam";
let phish=baseQuery
| where ThreatTypes has 'Phish'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Allowed Phish";
union spam,phish
| project Count, Details, Timestamp
| render timechart
id: 1ff2e300-32fa-4aa1-95b2-46106043a23c
name: Spam and Phish allowed to inbox by User Overrides
description: |
This query helps in reviewing malicious emails allowed due to user overrides
description-detailed: |
This query helps in reviewing malicious emails allowed due to user defined detection overrides in Defender for Office 365
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
let baseQuery = EmailEvents
| where Timestamp >= TimeStart
| where ConfidenceLevel != "" and UserLevelPolicy!="" and UserLevelAction == "Allow" and DeliveryAction == "Delivered";
let spam=baseQuery
| where ThreatTypes has 'Spam'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Allowed Spam";
let phish=baseQuery
| where ThreatTypes has 'Phish'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Allowed Phish";
union spam,phish
| project Count, Details, Timestamp
| render timechart
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: User manually moves a legitimate email from the spam folder to the inbox using Gmail’s UI
Filter/Exclusion: email_service = "Gmail" AND action = "user_move_from_spam_to_inbox"
Scenario: A scheduled job or automation tool (e.g., Zapier, Microsoft Power Automate) moves emails from a shared spam folder to the inbox
Filter/Exclusion: source_folder = "shared_spam" AND destination_folder = "inbox" AND automation_tool = "PowerAutomate"
Scenario: An admin or user uses a third-party email client (e.g., Outlook.com, Thunderbird) to move emails from spam to inbox
Filter/Exclusion: email_client = "Thunderbird" OR email_client = "Outlook.com" AND action = "move_from_spam_to_inbox"
Scenario: A system administrator uses the Exchange Online PowerShell to move emails from spam to inbox as part of routine maintenance
Filter/Exclusion: cmdlet = "Move-MailboxMessage" AND mailbox = "admin_mailbox" AND folder = "spam"
Scenario: A user receives a legitimate email from a known sender (e.g., internal team, partner) that is mistakenly flagged as spam and then moved to inbox
Filter/Exclusion: sender = "internal_team@company.com" OR sender = "partner@partner.com" AND action = "user_move_from_spam_to_inbox"