Top 10 External Senders (Spam)

Hunt Hypothesis

Identifies the top 10 external sender addresses delivering inbound emails classified as spam. If you want to exclude your own organization’s domains (including subdomains), add a filter after the spam

KQL Query

EmailEvents
| where EmailDirection == "Inbound"
| where ThreatTypes has "Spam"
//| where SenderFromAddress !contains ".yourdomain.com"
| summarize count() by SenderFromAddress
| sort by count_ desc
| top 10 by count_
| render piechart

Analytic Rule Definition

id: debd82cc-2507-4c93-bd0a-a58926fc6d3a
name: Top 10 External Senders (Spam)
description: |
  Identifies the top 10 external sender addresses delivering inbound emails classified as spam.
  If you want to exclude your own organization's domains (including subdomains), add a filter after the spam filter, e.g.:
    | where SenderFromAddress !contains ".yourdomain.com"
  (Replace "yourdomain.com" with your actual domain.)
  Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  EmailEvents
  | where EmailDirection == "Inbound"
  | where ThreatTypes has "Spam"
  //| where SenderFromAddress !contains ".yourdomain.com"
  | summarize count() by SenderFromAddress
  | sort by count_ desc
  | top 10 by count_
  | render piechart
version: 1.0.0

Required Data Sources

False Positive Guidance

• Scenario: Internal Collaboration Tools
  Description: Emails sent from Microsoft Teams or Outlook (e.g.,

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/General/Top 10 External Senders (Spam).yaml)