Adversaries may use compromised user accounts to submit malicious emails as false negatives, leveraging inbound email traffic to exfiltrate data or establish command and control. SOC teams should proactively hunt for this behavior to identify potential email-based attacks and prevent data exfiltration in their Azure Sentinel environment.
KQL Query
let TotalInboundbySender = EmailEvents
| where EmailDirection =="Inbound"
| summarize count() by SenderFromDomain;
CloudAppEvents
| where ActionType == "UserSubmission"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),RecipientObjectId=AccountObjectId,NetworkMessageId=tostring((parse_json(RawEventData).ObjectId))
| where SubmissionContentType == "Mail" and SubmissionType in ("1","0")
| join EmailEvents on NetworkMessageId, RecipientObjectId
| where EmailDirection == "Inbound"
| summarize UserSubmissions=count() by SenderFromDomain
| join TotalInboundbySender on SenderFromDomain
| extend UserSubmissions_Percentage = todouble(round(UserSubmissions / todouble(count_) * 100, 2))
| project SenderFromDomain, UserSubmissions, TotalInboundEmail=count_,UserSubmissions_Percentage
| top 10 by UserSubmissions desc
id: d7822efc-9a33-4120-8c60-661396764af1
name: User Email Submissions (FN) - Top Inbound P2 Senders domains
description: |
This query visualises top sender domains of inbound emails submitted as false negatives by users.
description-detailed: |
This query visualises top sender domains of inbound emails submitted as false negatives by users.
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let TotalInboundbySender = EmailEvents
| where EmailDirection =="Inbound"
| summarize count() by SenderFromDomain;
CloudAppEvents
| where ActionType == "UserSubmission"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),RecipientObjectId=AccountObjectId,NetworkMessageId=tostring((parse_json(RawEventData).ObjectId))
| where SubmissionContentType == "Mail" and SubmissionType in ("1","0")
| join EmailEvents on NetworkMessageId, RecipientObjectId
| where EmailDirection == "Inbound"
| summarize UserSubmissions=count() by SenderFromDomain
| join TotalInboundbySender on SenderFromDomain
| extend UserSubmissions_Percentage = todouble(round(UserSubmissions / todouble(count_) * 100, 2))
| project SenderFromDomain, UserSubmissions, TotalInboundEmail=count_,UserSubmissions_Percentage
| top 10 by UserSubmissions desc
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
EmailEvents | Ensure this data connector is enabled |
Scenario: Systematic email submission by a user for malware analysis
Filter/Exclusion: Exclude emails submitted via the Microsoft Defender for Endpoint or CrowdStrike Falcon email submission tools by checking the X-Submission-Tool header or using a custom field like submission_tool.
Scenario: Automated email submission by a SIEM or SOAR tool for correlation testing
Filter/Exclusion: Exclude emails sent from Splunk or IBM QRadar correlation rules by filtering on the source field or using a custom tag like siem_test_email.
Scenario: Scheduled job that sends test emails to internal recipients for reporting purposes
Filter/Exclusion: Exclude emails from PowerShell or Python scripts running scheduled tasks by checking the sender_ip or sender_hostname against known internal IP ranges or server names.
Scenario: Email submission by a third-party security tool during a security audit
Filter/Exclusion: Exclude emails from Qualys or Tenable by checking the X-Source header or using a custom field like third_party_tool.
Scenario: Email submission by a user for phishing training simulations
Filter/Exclusion: Exclude emails from Cisco Email Security Appliance (ESA) or Proofpoint phishing simulation tools by checking the X-Phishing-Simulation header or using a custom tag like phishing_sim.