Adversaries may be targeting specific users by sending phishing emails to gain initial access or exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and mitigate lateral movement risks.
KQL Query
EmailEvents
//| where OrgLevelPolicy != "Phishing simulation" and OrgLevelPolicy != "SecOps Mailbox"
| where ThreatTypes has "Phish" and EmailDirection == "Inbound"
| summarize count() by RecipientEmailAddress
| sort by count_
| top 15 by count_
//| render columnchart // Uncomment to display as a column graph
//| render piechart // Uncomment to display as a piechart
id: da24d001-6a74-4a48-89a7-c99ec1f45d32
name: Top Users receiving Phish
description: |
This query visualises total inbound emails with Phish detections summarizing the data by the top recipient email address (RecipientEmailAddress)
description-detailed: |
This query visualises total inbound emails with Phish detections summarizing the data by the top recipient email address (RecipientEmailAddress)
The comment in the query excludes deliveries to the SecOps Mailbox and by the Phish Simulation system. Remove the "//" to apply the exclusion.
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
//| where OrgLevelPolicy != "Phishing simulation" and OrgLevelPolicy != "SecOps Mailbox"
| where ThreatTypes has "Phish" and EmailDirection == "Inbound"
| summarize count() by RecipientEmailAddress
| sort by count_
| top 15 by count_
//| render columnchart // Uncomment to display as a column graph
//| render piechart // Uncomment to display as a piechart
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled Email Reports
Description: A scheduled job runs daily to generate a phishing report via email, sending the report to a central admin email address.
Filter/Exclusion: Exclude emails sent to the email address used for scheduled report delivery (e.g., reports@company.com) using the RecipientEmailAddress field.
Scenario: User Account Sync Tool
Description: An automated tool syncs user accounts between Active Directory and an email system, sending confirmation emails to users’ primary email addresses.
Filter/Exclusion: Exclude emails sent to users who are part of the sync process by checking the RecipientEmailAddress against a known sync tool email list (e.g., sync-tool@company.com).
Scenario: Internal Help Desk Communication
Description: The internal help desk sends phishing awareness emails to all employees as part of a monthly training campaign.
Filter/Exclusion: Exclude emails sent from the help desk email address (e.g., helpdesk@company.com) using the SenderEmailAddress field in conjunction with the RecipientEmailAddress field.
Scenario: Automated Password Reset Emails
Description: A password reset tool sends emails to users who have initiated a password change, which may be flagged as phishing due to the email content.
Filter/Exclusion: Exclude emails sent to users who have initiated a password reset by checking the RecipientEmailAddress against a list of users who recently requested password resets.
Scenario: Email Archiving System Notifications
Description: An email archiving system sends notifications to administrators about archived emails, which may include phishing-related messages.
Filter/Exclusion: Exclude emails sent to the email address used by the archiving system (e.g., archive-notifications@company.com) using the RecipientEmailAddress field.