Adversaries may be exploiting user email submissions from the junk folder to bypass email filtering and deliver malicious content. SOC teams should proactively hunt for this behavior to identify potential phishing or malware distribution attempts that evade standard email security controls.
KQL Query
CloudAppEvents
| where ActionType == "UserSubmission"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType), RecipientObjectId=AccountObjectId
| extend User_SubmissionType=
iff(SubmissionType == "1" and ActionType == "UserSubmission" and SubmissionContentType=="Mail","User_Phish_FN",
iff(SubmissionType == "0" and ActionType == "UserSubmission" and SubmissionContentType=="Mail","User_Spam_FN","Other")),
NetworkMessageId=tostring((parse_json(RawEventData).ObjectId))
| where SubmissionContentType == "Mail" and SubmissionType in ("1","0")
| join EmailEvents on NetworkMessageId, RecipientObjectId
| where DeliveryLocation == "Junk folder"
| summarize count() by ThreatTypes,User_SubmissionType
| project ThreatTypes,User_SubmissionType, Emails = count_
id: a1eb19d6-9d86-425c-bd1d-86495c2ca714
name: User email submissions (FN) from Junk Folder
description: |
This query visualises the total ammount of user false negative submissions from the junk folder
description-detailed: |
This query visualises the total ammount of user false negative submissions that are already detected by MDO and already delivered in the junk folder
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "UserSubmission"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType), RecipientObjectId=AccountObjectId
| extend User_SubmissionType=
iff(SubmissionType == "1" and ActionType == "UserSubmission" and SubmissionContentType=="Mail","User_Phish_FN",
iff(SubmissionType == "0" and ActionType == "UserSubmission" and SubmissionContentType=="Mail","User_Spam_FN","Other")),
NetworkMessageId=tostring((parse_json(RawEventData).ObjectId))
| where SubmissionContentType == "Mail" and SubmissionType in ("1","0")
| join EmailEvents on NetworkMessageId, RecipientObjectId
| where DeliveryLocation == "Junk folder"
| summarize count() by ThreatTypes,User_SubmissionType
| project ThreatTypes,User_SubmissionType, Emails = count_
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
EmailEvents | Ensure this data connector is enabled |
Scenario: A system administrator submits a legitimate email to the junk folder as part of a test or troubleshooting process.
Filter/Exclusion: Exclude submissions from known admin accounts (e.g., admin@example.com, support@example.com) or use a filter like submitter_account = "admin@example.com".
Scenario: A scheduled job (e.g., DailyEmailBackupJob) automatically moves emails from the inbox to the junk folder as part of a data retention policy.
Filter/Exclusion: Exclude submissions from scheduled jobs by checking the job_name field, e.g., job_name = "DailyEmailBackupJob".
Scenario: A user manually moves a legitimate email to the junk folder while troubleshooting an email client (e.g., Microsoft Outlook or Mozilla Thunderbird).
Filter/Exclusion: Exclude submissions where the user action is known (e.g., user_action = "manual_move" or client = "Outlook").
Scenario: A third-party email archiving tool (e.g., Mimecast, Symantec Enterprise Vault) moves emails to the junk folder during a migration or cleanup process.
Filter/Exclusion: Exclude submissions originating from known archiving tools by checking the source_tool field, e.g., source_tool = "Mimecast".
Scenario: A user submits a phishing email to the junk folder as part of a security training exercise (e.g., using a tool like PhishSim or a simulated phishing campaign).
Filter/Exclusion: Exclude submissions associated with security training tools by checking the training_campaign_id field or using a filter like campaign = "PhishSim_Training_2024".