User Email Submission Trend (FN)

Hunt Hypothesis

Users are likely submitting false positive email reports, which could indicate an adversary attempting to manipulate or bypass phishing detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential evasion tactics and refine their email security defenses.

KQL Query

let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
let baseQuery = CloudAppEvents
| where ActionType contains "UserSubmission"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType);
let User_Phish_FN=baseQuery
| make-series Count= countif(SubmissionType == "1" and ActionType == "UserSubmission" and SubmissionContentType=="Mail" ) default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
| extend Details = "User_Phish_FN";
let User_Spam_FN=baseQuery
| make-series Count= countif(SubmissionType == "0" and ActionType == "UserSubmission" and SubmissionContentType=="Mail" ) default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
| extend Details = "User_Spam_FN";
let User_AttackSim_Submission=baseQuery
| make-series Count= countif(ActionType == "AttackSimUserSubmission" and SubmissionContentType=="Mail" ) default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
| extend Details = "User_AttackSim_Submission";
union User_Phish_FN,User_Spam_FN,User_AttackSim_Submission
| project Count, Details, Timestamp
| render timechart

Analytic Rule Definition

id: 395047c1-254e-43fb-ad6e-ae74c8e0a873
name: User Email Submission Trend (FN)
description: |
  This query visualises the daily ammount of users false negative submission by submission type, including phish simulations reported by users.
description-detailed: |
  This query visualises the daily ammount of users false negative submission by submission type, including phish simulations reported by users.
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  let TimeStart = startofday(ago(30d));
  let TimeEnd = startofday(now());
  let baseQuery = CloudAppEvents
  | where ActionType contains "UserSubmission"
  | extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType);
  let User_Phish_FN=baseQuery
  | make-series Count= countif(SubmissionType == "1" and ActionType == "UserSubmission" and SubmissionContentType=="Mail" ) default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
  | extend Details = "User_Phish_FN";
  let User_Spam_FN=baseQuery
  | make-series Count= countif(SubmissionType == "0" and ActionType == "UserSubmission" and SubmissionContentType=="Mail" ) default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
  | extend Details = "User_Spam_FN";
  let User_AttackSim_Submission=baseQuery
  | make-series Count= countif(ActionType == "AttackSimUserSubmission" and SubmissionContentType=="Mail" ) default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
  | extend Details = "User_AttackSim_Submission";
  union User_Phish_FN,User_Spam_FN,User_AttackSim_Submission
  | project Count, Details, Timestamp
  | render timechart
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`CloudAppEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Submissions/User Submissions Trend - FN.yaml)

False Positive Guidance

Scenario: System administrators submit test phishing simulations using Microsoft Defender for Office 365 or Cisco Secure Email Gateway as part of regular security training exercises.
Filter/Exclusion: Exclude submissions from known admin accounts or those associated with scheduled phishing test campaigns.
Scenario: Automated SIEM log ingestion jobs or endpoint detection and response (EDR) tools like CrowdStrike or Microsoft Sentinel submit emails as part of their data collection or alerting processes.
Filter/Exclusion: Exclude submissions from system accounts or services, or filter based on the source IP or process name.
Scenario: Email archiving tools such as Symphony or Iron Mountain automatically submit emails to the system for compliance or audit purposes.
Filter/Exclusion: Exclude submissions from known archiving or compliance tools, or apply a filter based on the email subject or sender domain.
Scenario: Scheduled backup jobs or data migration tools like Veeam or CommCell may include email files in their transfer processes, leading to email submissions.
Filter/Exclusion: Exclude submissions from backup or migration processes, or filter based on file type or source directory.
Scenario: User account provisioning or deprovisioning tasks managed by Azure AD or Okta may involve email submissions as part of automated workflows.
Filter/Exclusion: Exclude submissions from user provisioning systems or filter based on the user role or activity type.