Adversaries may be using external malicious email senders to deliver malware or phishing payloads through email channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise vectors early.
KQL Query
EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Inbound"
| summarize count() by SenderFromAddress
| sort by count_
id: 9d6c8c17-06b0-4044-b18e-35eb3dfc5cf2
name: Top external malicious senders
description: |
This query helps reviewing external top malicious email sender with malware or phishing emails in an organization in last 30 days
description-detailed: |
This query helps reviewing external top malicious email sender with malware or phishing emails in an organization in last 30 days using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Inbound"
| summarize count() by SenderFromAddress
| sort by count_
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Legitimate email backup or synchronization jobs using tools like Microsoft Exchange Online Backup or Veeam Backup & Replication
Filter/Exclusion: Exclude IP addresses or domains associated with known backup services, e.g., backup.microsoft.com, veeam.com, or use a custom list of trusted external domains in the rule’s filter.
Scenario: Automated email reporting or alerting from Microsoft Defender for Office 365 or Cisco Secure Email Gateway
Filter/Exclusion: Filter out emails sent from internal monitoring tools or services like defender.microsoft.com, cisco.com, or use a field like x-ms-exchange-organization to identify internal vs. external sources.
Scenario: Scheduled email notifications from ServiceNow or Jira to external stakeholders
Filter/Exclusion: Exclude emails sent from known service management tools by checking the From header or using a custom list of trusted external domains like servicenow.com, atlassian.com.
Scenario: Email notifications from AWS S3 or CloudWatch for storage alerts or log delivery
Filter/Exclusion: Exclude emails from AWS services by checking the From header or using a filter for domains like amazonaws.com, aws.com, or cloudwatch.amazonaws.com.
Scenario: Email-based collaboration tools like Microsoft Teams or Slack sending meeting reminders or notifications
Filter/Exclusion: Exclude emails from collaboration platforms by checking the From header or using a filter for domains like teams.microsoft.com, slack.com, or microsoft.com.