Adversaries may target specific users with malware or phishing emails to gain initial access or exfiltrate data. Proactively hunting for these targeted users in Azure Sentinel can help identify potential compromise early and prevent further lateral movement or data loss.
KQL Query
EmailEvents
| where Timestamp > ago(30d)
| where ThreatTypes has "Malware" or ThreatTypes has "Phish"
| summarize count() by RecipientEmailAddress
| sort by count_
id: a1664330-810a-473b-b354-acbaa751a294
name: Top targeted users
description: |
This query helps reviewing top targeted users with malware or phishing emails in an organization in last 30 days
description-detailed: |
This query helps reviewing top targeted users with malware or phishing emails in an organization in last 30 days using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| where ThreatTypes has "Malware" or ThreatTypes has "Phish"
| summarize count() by RecipientEmailAddress
| sort by count_
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: System administrator sends a scheduled phishing email test to a subset of users for security awareness training.
Filter/Exclusion: Exclude emails sent by the system admin account (sender = "admin@company.com") or emails with a specific subject line like "Security Awareness Test - Do Not Reply".
Scenario: A user receives a legitimate phishing email from a trusted partner as part of a business process (e.g., invoice verification).
Filter/Exclusion: Exclude emails from known partner domains (from_domain = "trustedpartner.com") or emails with a specific sender email address (sender = "noreply@trustedpartner.com").
Scenario: A scheduled job runs a script that sends out automated reports to multiple users, which is flagged as potential phishing.
Filter/Exclusion: Exclude emails sent by a specific service account (sender = "reporting-service@company.com") or emails with a specific message ID or content header.
Scenario: A user receives a phishing email from a malicious domain that mimics the company’s internal email system.
Filter/Exclusion: Exclude emails from domains that are known to be spoofed or flagged by the email security gateway (from_domain = "spoofed-company.com").
Scenario: A user receives a phishing email from an external vendor that is part of a legitimate business process (e.g., vendor onboarding).
Filter/Exclusion: Exclude emails from known vendor domains (from_domain = "vendorcompany.com") or emails with a specific “X-Message-ID” header indicating they are part of a known business process.