Adversaries may use sophisticated spam techniques to bypass traditional detection controls, indicating potential evasion of email security measures. SOC teams should proactively hunt for this behavior to identify and mitigate advanced spam campaigns that could lead to phishing or malware delivery.
KQL Query
//This query visualises total emails with Spam detections over time summarizing the data daily by various Spam Detection technologies/controls in Microsoft Defender for Office 365.
let minTime = startofday(ago(30d)); // last 30 days by default, replace 30d with the desired period
let maxTime = startofday(now());
let baseQuery = EmailEvents
| where DetectionMethods has "Spam"
| where Timestamp >= minTime;
let ml=baseQuery
| where Timestamp >= minTime
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Spam has 'Advanced filter'
| make-series Count= count() default = 0 on Timestamp from minTime to maxTime step 1d
| extend Details = "Advanced filter";
let gf=baseQuery
| where Timestamp >= minTime
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Spam has 'General filter'
| make-series Count= count() default = 0 on Timestamp from minTime to maxTime step 1d
| extend Details = "General filter";
let bl=baseQuery
| where Timestamp >= minTime
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Spam has 'BulkFilter'
| make-series Count= count() default = 0 on Timestamp from minTime to maxTime step 1d
| extend Details = "BulkFilter";
let mx=baseQuery
| where Timestamp >= minTime
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Spam has 'Mixed analysis detection'
| make-series Count= count() default = 0 on Timestamp from minTime to maxTime step 1d
| extend Details = "Mixed analysis detection";
let frp=baseQuery
| where Timestamp >= minTime
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Spam has 'Fingerprint matching'
| make-series Count= count() default = 0 on Timestamp from minTime to maxTime step 1d
| extend Details = "Fingerprint matching";
let umr=baseQuery
| where Timestamp >= minTime
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Spam has 'URL malicious reputation'
| make-series Count= count() default = 0 on Timestamp from minTime to maxTime step 1d
| extend Details = "URL malicious reputation";
let dr=baseQuery
| where Timestamp >= minTime
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Spam has 'Domain reputation'
| make-series Count= count() default = 0 on Timestamp from minTime to maxTime step 1d
| extend Details = "Domain reputation";
let ipr=baseQuery
| where Timestamp >= minTime
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Spam has 'IP reputation'
| make-series Count= count() default = 0 on Timestamp from minTime to maxTime step 1d
| extend Details = "IP reputation";
union ml,gf,bl,mx,frp,umr,dr,ipr
| project Count, Details, Timestamp
| render timechart
id: f977d3e3-a97f-4568-b621-bd589732b8f2
name: Spam Detections by Detection technology
description: |
This query visualises total emails with Spam detections over time by various Spam Detection technologies/controls.
description-detailed: |
This query visualises total emails with Spam detections over time summarizing the data daily by various Spam Detection technologies/controls in Microsoft Defender for Office 365.
Taken from the the Microsoft Defender for Office 365 Detections and Insights - Microsoft Sentinel workbook.
https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//This query visualises total emails with Spam detections over time summarizing the data daily by various Spam Detection technologies/controls in Microsoft Defender for Office 365.
let minTime = startofday(ago(30d)); // last 30 days by default, replace 30d with the desired period
let maxTime = startofday(now());
let baseQuery = EmailEvents
| where DetectionMethods has "Spam"
| where Timestamp >= minTime;
let ml=baseQuery
| where Timestamp >= minTime
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Spam has 'Advanced filter'
| make-series Count= count() default = 0 on Timestamp from minTime to maxTime step 1d
| extend Details = "Advanced filter";
let gf=baseQuery
| where Timestamp >= minTime
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Spam has 'General filter'
| make-series Count= count() default = 0 on Timestamp from minTime to maxTime step 1d
| extend Details = "General filter";
let bl=baseQuery
| where Timestamp >= minTime
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Spam has 'BulkFilter'
| make-series Count= count() default = 0 on Timestamp from minTime to maxTime step 1d
| extend Details = "BulkFilter";
let mx=baseQuery
| where Timestamp >= minTime
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Spam has 'Mixed analysis detection'
| make-series Count= count() default = 0 on Timestamp from minTime to maxTime step 1d
| extend Details = "Mixed analysis detection";
let frp=baseQuery
| where Timestamp >= minTime
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT)
| where Spam has 'Fingerprint matching'
| make-series Count= count() default = 0 on Timestamp from minTime to maxTime step 1d
| extend Details = "Fingerprint matching";
let umr=baseQuer| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled email archiving job triggers spam detection due to bulk email processing
Filter/Exclusion: Exclude emails with subject containing “Archive” or “Backup” and sender matching internal archiving service email addresses.
Scenario: Legitimate email from a third-party service (e.g., Google Workspace) flagged due to known spam IP ranges
Filter/Exclusion: Exclude emails from IP ranges associated with known email service providers (e.g., 142.250.179.0/24 for Google).
Scenario: Internal testing emails sent via a mail relay tool (e.g., Mailgun) flagged as spam
Filter/Exclusion: Exclude emails with X-Mailer header containing “Mailgun” or “SendGrid” and from address matching internal testing domains.
Scenario: System-generated emails (e.g., from a ticketing system like Zendesk) flagged by spam filters
Filter/Exclusion: Exclude emails with subject containing “Ticket” or “Support” and from address matching internal support email domains.
Scenario: Admin task emails (e.g., from Microsoft 365 admin center) flagged as spam due to content similarity to phishing templates
Filter/Exclusion: Exclude emails with from address containing “admin” or “microsoft.com” and subject containing “Admin” or “Security”.