Adversaries may use external sender addresses to deliver malware via phishing emails, leveraging compromised or spoofed domains to bypass initial email security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware distribution channels and prevent lateral movement or data exfiltration.
KQL Query
EmailEvents
| where EmailDirection == "Inbound"
| where ThreatTypes has "Malware"
//| where SenderFromAddress !contains ".yourdomain.com"
| summarize count() by SenderFromAddress
| sort by count_ desc
| top 10 by count_
| render piechart
id: 530ef5e4-7ee4-4d70-a8e2-a06459605c02
name: Top 10 External Senders (Malware)
description: |
Identifies the top 10 external sender addresses delivering inbound emails classified as malware.
If you want to exclude your own organization's domains (including subdomains), add a filter after the malware filter, e.g.:
| where SenderFromAddress !contains ".yourdomain.com"
(Replace "yourdomain.com" with your actual domain.)
Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where EmailDirection == "Inbound"
| where ThreatTypes has "Malware"
//| where SenderFromAddress !contains ".yourdomain.com"
| summarize count() by SenderFromAddress
| sort by count_ desc
| top 10 by count_
| render piechart
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Internal System Health Checks
Description: Automated health check tools (e.g., Nagios, Zabbix) or internal monitoring systems may send outbound emails to internal recipients for status updates or alerts.
Filter/Exclusion: Exclude internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or internal domain names (e.g., @internal.corp.com) using a custom filter in SIEM or email security tools.
Scenario: Scheduled Job Notifications
Description: Scheduled jobs (e.g., Jenkins, Airflow) or cron jobs may send email notifications to administrators or teams about job status, failures, or completions.
Filter/Exclusion: Exclude emails sent from known job scheduling tools or specific sender addresses (e.g., notifications@jenkins.corp.com) using a sender-based exclusion list in the email security gateway (e.g., Microsoft Defender for Office 365, Proofpoint).
Scenario: User-Initiated Email Campaigns
Description: Marketing or customer service teams may send outbound emails to external recipients as part of legitimate campaigns (e.g., newsletters, support emails).
Filter/Exclusion: Exclude emails sent from known marketing domains (e.g., marketing@company.com) or use a sender reputation filter to block emails from domains with low spam scores.
Scenario: Third-Party Service Alerts
Description: Third-party services (e.g., AWS, Azure, Cloudflare) may send alert emails to internal administrators about service status, security events, or configuration changes.
Filter/Exclusion: Exclude emails from known service provider domains (e.g., aws.amazon.com, azure.com) using a domain-based exclusion