Spoof Detections Trend | SOC Hunt Feed

Hunt Hypothesis

Adversaries are likely using business email compromise spoofing to impersonate legitimate users and exfiltrate sensitive information. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate BEC attacks before significant data loss occurs.

KQL Query

let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
EmailEvents 
| where DetectionMethods has 'Spoof' 
| make-series Count = count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
| extend Details = "SpoofEmails"
| render timechart

Analytic Rule Definition

id: 61c73b2b-4c62-4015-8677-f569d1e83b57
name: Spoof Detections Trend
description: |
  This query visualises total emails Business Email Compromise (BEC) Spoofing detections over time summarizing the data daily.
description-detailed: |
  This query visualises total emails Business Email Compromise (BEC) Spoofing detections over time summarizing the data daily.
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  let TimeStart = startofday(ago(30d));
  let TimeEnd = startofday(now());
  EmailEvents 
  | where DetectionMethods has 'Spoof' 
  | make-series Count = count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
  | extend Details = "SpoofEmails"
  | render timechart
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`EmailEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Spoof and Impersonation/Spoof detections trend.yaml)

False Positive Guidance

Scenario: Daily system health check email sent by the IT helpdesk using a predefined template.
Filter/Exclusion: Exclude emails sent from the IT helpdesk email address or those matching the “System Health Check” subject line.
Scenario: Automated backup job notification email sent by the backup system (e.g., Veeam, Commvault).
Filter/Exclusion: Exclude emails sent from the backup system’s email address or those containing the word “backup” in the subject or body.
Scenario: Scheduled report generation by a SIEM tool (e.g., Splunk, IBM QRadar) that includes email notifications.
Filter/Exclusion: Exclude emails sent from the SIEM tool’s admin email address or those with a “Scheduled Report” keyword in the subject.
Scenario: User-generated email reminders for calendar events using Microsoft Outlook or Google Calendar.
Filter/Exclusion: Exclude emails sent from user accounts with a “Reminder” or “Event” keyword in the subject line, or from calendar service email addresses.
Scenario: Email notifications from a ticketing system (e.g., ServiceNow, Zendesk) informing users of new tickets or updates.
Filter/Exclusion: Exclude emails sent from the ticketing system’s email domain or those containing “Ticket” or “Support” in the subject line.