Adversaries may use spam emails with normal confidence scores to distribute malicious payloads, leveraging delivery locations to bypass traditional filtering mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing or malware distribution campaigns that evade standard spam detection systems.
KQL Query
EmailEvents
| where OrgLevelPolicy != "Phishing simulation" and OrgLevelPolicy != "SecOps Mailbox"
| where ConfidenceLevel has_any ('Spam":"Normal')
| summarize count() by LatestDeliveryLocation
| sort by count_ desc
| render piechart
id: 3f314fd9-332a-4d41-93f1-e9fca59e9bb0
name: Spam Detections (Normal) by delivery location
description: |
This query visualises emails with Spam detections (Normal confidence) summarizing the data by Delivery Location.
description-detailed: |
This query visualises emails with Spam detections (Normal confidence) summarizing the data by Delivery Location which are subject to User/Admin overrides and Policy actions.
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where OrgLevelPolicy != "Phishing simulation" and OrgLevelPolicy != "SecOps Mailbox"
| where ConfidenceLevel has_any ('Spam":"Normal')
| summarize count() by LatestDeliveryLocation
| sort by count_ desc
| render piechart
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled email reports generated by Microsoft Exchange Online or Google Workspace that are automatically sent to administrators for compliance purposes.
Filter/Exclusion: Exclude emails sent to known admin email addresses or those with a specific header indicating they are part of a scheduled report.
Scenario: Automated backup jobs using Veeam or Commvault that send confirmation emails to the IT team.
Filter/Exclusion: Exclude emails containing specific keywords like “backup completed” or “backup job status” in the subject or body.
Scenario: User-generated email aliases used for internal communication, such as Microsoft 365 email aliases or Google Workspace aliases.
Filter/Exclusion: Exclude emails where the sender is an alias or where the “From” field does not match a verified user account.
Scenario: System-generated emails from SIEM tools like Splunk or IBM QRadar that notify about system events or alerts.
Filter/Exclusion: Exclude emails with a “From” field containing “SIEM” or “Alert” in the sender’s email address.
Scenario: Emails sent by third-party services such as Stripe or Shopify for transactional purposes, like order confirmations or payment receipts.
Filter/Exclusion: Exclude emails where the sender’s domain is a known third-party service or where the email contains a specific transaction ID or order number.