Zero-day Phish Detections Trend

Hunt Hypothesis

Adversaries are leveraging zero-day phishing techniques to bypass traditional detection controls, indicating the use of previously unknown malicious email patterns. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate emerging phishing threats before they cause significant damage.

KQL Query

let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
let baseQuery = EmailEvents
| where Timestamp >= TimeStart
| where DetectionMethods has "Phish";
let fd=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
| where Phish has 'File detonation' and Phish !has 'File detonation reputation'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
| extend Details = "File detonation";
let ud=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
| where Phish has 'URL detonation' and Phish !has 'URL detonation reputation'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
| extend Details = "URL detonation";
union fd,ud
| project Count, Details, Timestamp
| render timechart

Analytic Rule Definition

id: f22c98fd-40c2-4823-a5d7-5f5830911125
name: Zero-day Phish Detections Trend
description: |
  This query visualises total emails with Phish detections over time summarizing the data daily by Phish detection technologies/controls used for detecting unknown-unique phish
description-detailed: |
  This query visualises total emails with Phish detections over time summarizing the data daily by Phish detection technologies/controls used for detecting unknown-unique phish by URL or Attachment Detonation
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  let TimeStart = startofday(ago(30d));
  let TimeEnd = startofday(now());
  let baseQuery = EmailEvents
  | where Timestamp >= TimeStart
  | where DetectionMethods has "Phish";
  let fd=baseQuery
  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
  | where Phish has 'File detonation' and Phish !has 'File detonation reputation'
  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
  | extend Details = "File detonation";
  let ud=baseQuery
  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
  | where Phish has 'URL detonation' and Phish !has 'URL detonation reputation'
  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
  | extend Details = "URL detonation";
  union fd,ud
  | project Count, Details, Timestamp
  | render timechart
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`EmailEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Phish/Zero-day Phish Detections Trend.yaml)

False Positive Guidance

Scenario: Scheduled Phish Testing Campaigns
Description: Security teams may run scheduled phishing simulations to test employee awareness, which can generate legitimate “phish detections” in the system.
Filter/Exclusion: Exclude emails sent from known internal testing domains (e.g., @phish.test, @security-training.example.com) or filter by sender IP ranges used for internal testing.
Scenario: Automated Email Archiving Jobs
Description: Email archiving tools may trigger phish detection alerts when scanning and indexing emails, especially if the tool is configured to flag certain headers or content.
Filter/Exclusion: Exclude emails with a specific header like X-Archiving-Tool: True or filter by source IP of the archiving service (e.g., 10.0.0.0/24).
Scenario: Systematic Phish Response Automation
Description: Automated response systems (e.g., Microsoft Defender for Office 365, Cisco Secure Email Gateway) may flag legitimate emails as phish during automated response workflows.
Filter/Exclusion: Exclude emails with a specific header like X-Phish-Response: Auto or filter by the source of the email (e.g., @security.response.team).
Scenario: Internal Phish Reporting Tools
Description: Employees may use internal reporting tools (e.g., Microsoft Power BI, Splunk) to submit suspected phishing emails, which can be flagged by the detection system.
Filter/Exclusion: Exclude emails sent from internal reporting tools (e.g., @reporting.team, @internal.analysis.com) or filter by the presence of a specific header like X-Internal-Report: Yes.
Scenario: Legacy Email Migration Jobs
Description: Email migration tools (e.g., Microsoft Exchange Migration Wizard, AWS Migration