Total Emails with Admin Overrides (Block)

Hunt Hypothesis

Adversaries may exploit admin override capabilities in email policies to bypass standard blocking actions and exfiltrate data or establish command and control channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential abuse of administrative privileges and mitigate advanced phishing or credential theft tactics.

KQL Query

EmailEvents
| where OrgLevelPolicy != "" and OrgLevelAction == "Block"
| make-series TotalAdminOverrides = count() default = 0 on Timestamp step 1d
// | render columnchart // Uncomment this line to render as a graph

Analytic Rule Definition

id: 89a0a2aa-69c8-4586-95f5-7d003901adec
name: Total Emails with Admin Overrides (Block)
description: |
  This query visualises the amount of emails subject to an admin policy with action of block, summarizing the data daily
description-detailed: |
  This query visualises the amount of emails subject to an admin policy with action of block, summarizing the data daily
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  EmailEvents
  | where OrgLevelPolicy != "" and OrgLevelAction == "Block"
  | make-series TotalAdminOverrides = count() default = 0 on Timestamp step 1d
  // | render columnchart // Uncomment this line to render as a graph
version: 1.0.0

Required Data Sources

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Overrides/Total Emails with Admin Overrides - Block.yaml)

False Positive Guidance

• Scenario: Scheduled email archiving job using Microsoft Exchange Online Archiving
  Filter/Exclusion: Exclude emails where the MessageSubject contains “Archive” or “Backup” and the Sender is a known archive service account (e.g., archive@domain.com).

• Scenario: Microsoft 365 Admin manually overrides email policies during a compliance review
  Filter/Exclusion: Exclude emails where the AdminOverrideReason field contains “Compliance Review” or “Legal Hold” and the Sender is a known admin account (e.g., admin@domain.com).

• Scenario: ServiceNow or Zendesk sends automated emails to users with admin override headers
  Filter/Exclusion: Exclude emails where the MessageSubject contains “Service Request” or “Ticket Update” and the Sender is a known service account (e.g., service@domain.com).

• Scenario: Microsoft Defender for Office 365 sends automated emails with admin override headers during threat detection
  Filter/Exclusion: Exclude emails where the MessageSubject contains “Threat Detected” or “Security Alert” and the Sender is a known security service account (e.g., defender@domain.com).

• Scenario: Power Automate or Flow sends test emails with admin override headers for validation
  Filter/Exclusion: Exclude emails where the MessageSubject contains “Test” or “Validation” and the Sender is a known automation account (e.g., flow@domain.com).