← Back to SOC feed Coverage →

User Email Submissions (FN) - Top Intra-Org P2 Senders

kql MEDIUM Azure-Sentinel
T1566
CloudAppEventsEmailEvents
huntingmicrosoftofficial
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-05-18T23:00:00Z · Confidence: medium

Hunt Hypothesis

Adversaries may use intra-org email submissions to exfiltrate data or establish command and control channels by mimicking legitimate user behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data leakage or covert communication attempts leveraging internal email infrastructure.

KQL Query

CloudAppEvents 
| where ActionType == "UserSubmission"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType), RecipientObjectId=AccountObjectId
| extend User_SubmissionType=
iff(SubmissionType == "1" and ActionType == "UserSubmission" and SubmissionContentType=="Mail","User_Phish_FN",
iff(SubmissionType == "0" and ActionType == "UserSubmission" and SubmissionContentType=="Mail","User_Spam_FN","Other")),
NetworkMessageId=tostring((parse_json(RawEventData).ObjectId))
| where SubmissionContentType == "Mail" and SubmissionType in ("1","0")
| join EmailEvents on NetworkMessageId, RecipientObjectId
| where EmailDirection == "Intra-org"
| summarize count() by SenderMailFromAddress
| project SenderMailFromAddress,UserSubmissions = count_
| top 10 by UserSubmissions desc

Analytic Rule Definition

id: 2adae71b-42b9-47b8-9cb7-ccea9fece3e2
name: User Email Submissions (FN) - Top Intra-Org P2 Senders
description: |
  This query visualises top sender email addresses of intra-org emails submitted as false negatives by users.
description-detailed: |
  This query visualises top sender email addresses of intra-org emails submitted as false negatives by users.
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
  - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  CloudAppEvents 
  | where ActionType == "UserSubmission"
  | extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType), RecipientObjectId=AccountObjectId
  | extend User_SubmissionType=
  iff(SubmissionType == "1" and ActionType == "UserSubmission" and SubmissionContentType=="Mail","User_Phish_FN",
  iff(SubmissionType == "0" and ActionType == "UserSubmission" and SubmissionContentType=="Mail","User_Spam_FN","Other")),
  NetworkMessageId=tostring((parse_json(RawEventData).ObjectId))
  | where SubmissionContentType == "Mail" and SubmissionType in ("1","0")
  | join EmailEvents on NetworkMessageId, RecipientObjectId
  | where EmailDirection == "Intra-org"
  | summarize count() by SenderMailFromAddress
  | project SenderMailFromAddress,UserSubmissions = count_
  | top 10 by UserSubmissions desc
version: 1.0.0

Required Data Sources

Sentinel TableNotes
CloudAppEventsEnsure this data connector is enabled
EmailEventsEnsure this data connector is enabled

MITRE ATT&CK Context

References

False Positive Guidance

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Submissions/User Submissions - Top Intra-Org P2 senders.yaml