Adversaries may use compromised admin email accounts to submit false negatives, leveraging trusted sender domains to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential insider threats or account compromise attempts.
KQL Query
CloudAppEvents
| where ActionType == "AdminSubmissionSubmitted"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),P2SenderDomain=tostring((parse_json(RawEventData)).P2SenderDomain)
| where SubmissionContentType == "Mail" and SubmissionType in ("2","1","0")
| summarize count() by P2SenderDomain
| project P2SenderDomain, Emails = count_
| top 10 by Emails desc
id: 138681b2-442b-46cb-b086-fbe9e407aa2c
name: Top 10 sender domains - Admin email submissions (FN)
description: |
This query visualises emails submitted by admins as false negatives, summarizing the data by top 10 sender domains of those emails
description-detailed: |
This query visualises emails submitted by admins as false negatives, summarizing the data by top 10 sender domains of those emails
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "AdminSubmissionSubmitted"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),P2SenderDomain=tostring((parse_json(RawEventData)).P2SenderDomain)
| where SubmissionContentType == "Mail" and SubmissionType in ("2","1","0")
| summarize count() by P2SenderDomain
| project P2SenderDomain, Emails = count_
| top 10 by Emails desc
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Admin submits a support request via email using a legitimate domain (e.g., support@company.com)
Filter/Exclusion: Exclude emails where the sender domain is in a predefined list of internal admin domains (e.g., *.company.com, *.internal.company.com)
Scenario: Scheduled job sends a status update email to an admin mailbox (e.g., job-status@company.com)
Filter/Exclusion: Exclude emails where the sender domain matches known job or service monitoring tools (e.g., *.monitoring.company.com, *.scheduler.company.com)
Scenario: Admin uses a third-party email client (e.g., Microsoft Outlook) to send an email from a company domain
Filter/Exclusion: Exclude emails where the sender domain is a company domain and the email client is known to be used by admins (e.g., *.outlook.com for internal users)
Scenario: Email notification from a SIEM tool (e.g., Splunk, QRadar) is sent to an admin email address
Filter/Exclusion: Exclude emails where the sender domain is a known SIEM or security tool domain (e.g., *.splunk.com, *.qradar.com)
Scenario: Admin sends a test email from a development environment to a production admin mailbox
Filter/Exclusion: Exclude emails where the sender domain is a development or staging domain (e.g., *.dev.company.com, *.stage.company.com)