Adversaries may exploit user override policies to bypass email filtering and deliver malicious content, leveraging T1566 techniques to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing or malware delivery vectors that bypass standard email security controls.
KQL Query
EmailEvents
| where UserLevelPolicy != "" and UserLevelAction == "Allow"
| summarize Emails=count() by UserLevelAction,UserLevelPolicy,ThreatTypes
| sort by Emails
// | render columnchart // Uncomment this line to render as a graph
id: d7f4b1d0-018f-4033-8618-523bde350d23
name: Total Emails with User Overrides (Allow)
description: |
This query visualises the amount of emails subject to a user type policy with action of allow, summarizing the data by type of override and threats type found
description-detailed: |
This query visualises the amount of emails subject to a user type policy with action of allow, summarizing the data by type of override and threats type found
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where UserLevelPolicy != "" and UserLevelAction == "Allow"
| summarize Emails=count() by UserLevelAction,UserLevelPolicy,ThreatTypes
| sort by Emails
// | render columnchart // Uncomment this line to render as a graph
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled Email Archiving Job
Description: A scheduled job runs daily to archive old emails, which may include emails that match the policy criteria due to their subject or content.
Filter/Exclusion: Exclude emails sent by the archiving service account (e.g., archive@company.com) using the sender_email field.
Scenario: User Override for Internal Compliance Reports
Description: A user with compliance responsibilities overrides the email policy to send internal reports to a specific group, which may trigger the rule due to the override action.
Filter/Exclusion: Exclude emails where the override_reason field contains the keyword “compliance” or “internal report”.
Scenario: System-Wide Email Notification for Admin Tasks
Description: An admin task, such as a system-wide email notification for maintenance or updates, may trigger the rule due to the override action.
Filter/Exclusion: Exclude emails sent by the system admin account (e.g., admin@company.com) or those with the subject line containing “system maintenance”.
Scenario: Email Forwarding from a Shared Mailbox
Description: Emails forwarded from a shared mailbox (e.g., shared-support@company.com) may be flagged due to the override action, even though the forwarding is legitimate.
Filter/Exclusion: Exclude emails originating from shared mailboxes using the mailbox_type field or by checking the sender_email against a list of known shared mailboxes.
Scenario: User Override for Internal Training Emails
Description: A user overrides the email policy to send internal training emails to a team, which may be misclassified as a potential threat.
Filter/Exclusion: Exclude emails where the override_reason field contains the keyword “training” or “internal education”.