Adversaries may be targeting specific users through malware, phishing, or spam emails to gain initial access or exfiltrate data. Proactively hunting for these targeted users in Azure Sentinel helps identify potential compromise early and mitigate lateral movement risks.
KQL Query
EmailEvents
| where (ThreatTypes has "Malware" or ThreatTypes has "Phish" or ThreatTypes has "Spam") and EmailDirection == "Inbound"
| summarize count() by RecipientEmailAddress
| sort by count_
| top 10 by count_
| render piechart
id: b8330f6e-fc47-40ce-b225-5d3b055c6446
name: Top 10 Targeted Users (Malware+Phish+Spam)
description: |
Identifies the top 10 users receiving inbound emails classified as malware, phishing, or spam.
Based on concepts from the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where (ThreatTypes has "Malware" or ThreatTypes has "Phish" or ThreatTypes has "Spam") and EmailDirection == "Inbound"
| summarize count() by RecipientEmailAddress
| sort by count_
| top 10 by count_
| render piechart
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled Spam Filter Job Processing
Description: A scheduled job runs the spam filter tool (e.g., Microsoft Defender for Office 365 spam filter) which processes a large volume of emails, temporarily increasing the count of spam emails received by users.
Filter/Exclusion: Exclude emails flagged by the spam filter during scheduled processing times using a time-based filter in the detection logic (e.g., email.timestamp >= start_of_job AND email.timestamp <= end_of_job).
Scenario: User Receives Automated Marketing Emails
Description: A user receives a high volume of legitimate marketing emails that are incorrectly classified as spam by the email security gateway (e.g., Microsoft Defender for Office 365).
Filter/Exclusion: Exclude emails from known marketing domains or email domains whitelisted in the organization’s email policies (e.g., email.from_domain NOT IN ('marketing.com', 'newsletter.org')).
Scenario: Systematic Phishing Simulation Campaign
Description: The security team runs a phishing simulation using tools like Microsoft Secure Score or third-party tools like KnowBe4, which sends test emails to users. These emails are flagged as phishing by the email classification system.
Filter/Exclusion: Exclude emails sent from the internal security team’s email address or from known simulation domains (e.g., email.from_email IN ('security-team@company.com', 'simulate@phishingtest.com')).
Scenario: User Receives Bulk Email from a Service Provider
Description: A user receives a large number of emails from a service provider (e.g., a cloud storage service) that are mistakenly classified as malware or spam due to a misconfigured email classification rule.
Filter/Exclusion: Exclude emails from trusted service provider domains (e.g., email.from_domain IN ('cloudservice.com', 'storageprovider.net')