Adversaries may use admin ‘mark and notify’ actions on user submissions to exfiltrate data or mask malicious activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or covert communication attempts.
KQL Query
let ReviewResults = CloudAppEvents | where ActionType == "SubmissionNotification"
| extend SubmissionId = tostring(parse_json(RawEventData).SubmissionId)
| extend Properties = parse_json(RawEventData.ExtendedProperties)
| mv-expand element = Properties
| where element.Name == "AdminReviewResult"
| project SubmissionId, AdminReviewResult = element.Value;
CloudAppEvents
| where ActionType == "UserSubmission"
| extend SubmissionId = tostring(parse_json(RawEventData).SubmissionId), SubmissionType = parse_json(RawEventData).SubmissionType
| join kind=leftouter ReviewResults on SubmissionId
| extend UserReportedAs=iif(SubmissionType == 1, "Phish",iif(SubmissionType == 2, "Junk",iif(SubmissionType == 3, "NotJunk","")))
| extend ReviewedAccuracy=iif(UserReportedAs==AdminReviewResult, 1,0)
| extend Reviewed=iif(isempty(AdminReviewResult),"Not Reviewed","Reviewed")
| project SubmissionId,UserReportedAs,Reviewed,AdminReviewResult, ReviewedAccuracy
| summarize count() by Reviewed
| render piechart
id: 6923a80a-e3df-4d81-a90d-63fc5b7f0bb5
name: User Email Submissions by Admin review status (Mark and Notify)
description: |
This query visualises user submissions where admin also performed 'mark and notify' action on the submission
description-detailed: |
This query visualises user submissions where admin also performed 'mark and notify' action on the submission
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let ReviewResults = CloudAppEvents | where ActionType == "SubmissionNotification"
| extend SubmissionId = tostring(parse_json(RawEventData).SubmissionId)
| extend Properties = parse_json(RawEventData.ExtendedProperties)
| mv-expand element = Properties
| where element.Name == "AdminReviewResult"
| project SubmissionId, AdminReviewResult = element.Value;
CloudAppEvents
| where ActionType == "UserSubmission"
| extend SubmissionId = tostring(parse_json(RawEventData).SubmissionId), SubmissionType = parse_json(RawEventData).SubmissionType
| join kind=leftouter ReviewResults on SubmissionId
| extend UserReportedAs=iif(SubmissionType == 1, "Phish",iif(SubmissionType == 2, "Junk",iif(SubmissionType == 3, "NotJunk","")))
| extend ReviewedAccuracy=iif(UserReportedAs==AdminReviewResult, 1,0)
| extend Reviewed=iif(isempty(AdminReviewResult),"Not Reviewed","Reviewed")
| project SubmissionId,UserReportedAs,Reviewed,AdminReviewResult, ReviewedAccuracy
| summarize count() by Reviewed
| render piechart
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Scheduled Email Job Submission
Description: A scheduled job (e.g., Microsoft Exchange Transport Agent or Postfix cron job) automatically submits emails to the system for processing.
Filter/Exclusion: Add a filter for submission.source = "scheduled_job" or submission.job_name = "daily_email_backup"
Scenario: Admin Review of User Submissions via Web Interface
Description: An admin manually reviews and marks a user submission as “mark and notify” through the Microsoft 365 Compliance Center or Google Workspace Admin Console.
Filter/Exclusion: Include a condition like admin.action_type = "manual_review" or admin.user_role = "admin"
Scenario: Automated Email Notification from System Alert
Description: The system automatically sends an email notification (e.g., from SIEM tool like Splunk or Microsoft Sentinel) when a security alert is triggered, and this email is mistakenly flagged as a submission.
Filter/Exclusion: Filter by submission.type = "notification" or submission.sender = "system_alert"
Scenario: Email Submission via API by Third-Party Integration
Description: A third-party service (e.g., Zendesk, ServiceNow, or Salesforce) submits emails via API for user review, and the system incorrectly associates it with an admin “mark and notify” action.
Filter/Exclusion: Add a filter for submission.source = "third_party_api" or submission.integrated_service = "zendesk"
Scenario: Admin Mark and Notify on a Legitimate User Submission
Description: A legitimate user submission (e.g., a support ticket or report) is reviewed and marked for notification by an admin, which is a valid use case.
Filter/Exclusion: Include a condition