Top 100 malicious email senders

Hunt Hypothesis

Adversaries may use known malicious email senders to deliver phishing or malware payloads, leveraging compromised or spoofed accounts to evade basic email filtering. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential spear-phishing campaigns and mitigate lateral movement risks.

KQL Query

EmailEvents
| where Timestamp > ago(30d)
| where ThreatTypes has "Phish" or ThreatTypes has "Malware" 
| summarize total=count() by SenderMailFromAddress 
| top 100 by total

Analytic Rule Definition

id: 12225f50-9d41-4b78-8269-cc127d98654c
name: Top 100 malicious email senders
description: |
  This query helps reviewing top 100 malicious senders
description-detailed: |
  This query helps reviewing top 100 senders sending malicious email in your organization in last 30 days using Defender for Office 365 data
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  EmailEvents
  | where Timestamp > ago(30d)
  | where ThreatTypes has "Phish" or ThreatTypes has "Malware" 
  | summarize total=count() by SenderMailFromAddress 
  | top 100 by total
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`EmailEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Mailflow/Top 100 malicious email senders.yaml)

False Positive Guidance

Scenario: A system administrator is using Microsoft Exchange Online to send a scheduled report to a team email address.
Filter/Exclusion: Exclude email senders associated with internal Microsoft services (e.g., admin@domain.com, service@domain.com) or use a filter based on the From header containing @domain.com where domain.com is the organization’s domain.
Scenario: A scheduled backup job is configured to send email notifications to the IT helpdesk using AWS SES.
Filter/Exclusion: Exclude email senders that match the AWS SES SMTP relay IP or use a filter based on the From header containing backup@domain.com or a known internal email alias.
Scenario: A third-party SaaS tool (e.g., Zoom, Slack) sends automated emails to users for meeting reminders or notifications.
Filter/Exclusion: Exclude senders that match known SaaS email domains (e.g., @zoom.us, @slack.com) or use a filter based on the From header containing the SaaS tool’s domain.
Scenario: A devOps team is using Jenkins to trigger automated deployments and sends email alerts to the on-call team.
Filter/Exclusion: Exclude senders that match the Jenkins SMTP relay or use a filter based on the From header containing jenkins@domain.com or a known internal alias.
Scenario: A user is manually testing email notifications from an internal Power Automate flow to verify alert functionality.
Filter/Exclusion: Exclude senders that match the Power Automate test email alias (e.g., test@domain.com) or use a filter based on the From header containing test@domain.com.