Adversaries may use automated email notifications to mask malicious sign-in activity and exfiltrate data undetected. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential compromise and lateral movement attempts.
KQL Query
let usersWithSuspiciousEmails = EmailEvents
| where SenderFromAddress in ("[email protected]", "[email protected]") or InternetMessageId startswith "<OneTimePasscode"
| where isnotempty(RecipientObjectId)
| distinct RecipientObjectId;
AADSignInEventsBeta
| where AccountObjectId in (usersWithSuspiciousEmails)
| where RiskLevelDuringSignIn == 100
id: a7acfaf4-e03e-409d-a16e-dcde33f7dba3
name: Automated email notifications and suspicious sign-in activity
description: |
This query helps hunting for Automated email notifications and suspicious sign-in activity
description-detailed: |
This query helps hunting for Automated email notifications and suspicious sign-in activity.
By correlating the email from the Microsoft notification service or Dropbox automated notification service with a suspicious sign-in activity, we can identify compromises, especially from securely shared SharePoint or Dropbox files.
Shared by Microsoft Threat Intelligence: https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- AADSignInEventsBeta
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let usersWithSuspiciousEmails = EmailEvents
| where SenderFromAddress in ("[email protected]", "[email protected]") or InternetMessageId startswith "<OneTimePasscode"
| where isnotempty(RecipientObjectId)
| distinct RecipientObjectId;
AADSignInEventsBeta
| where AccountObjectId in (usersWithSuspiciousEmails)
| where RiskLevelDuringSignIn == 100
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled email report generation using Microsoft Exchange
Description: A system administrator schedules a daily report via PowerShell or Outlook to be sent to the security team, which triggers the rule due to the presence of an email notification.
Filter/Exclusion: Exclude emails sent from a known admin account (e.g., [email protected]) during scheduled times (e.g., 8:00 AM daily) using PowerShell or Outlook.
Scenario: Automated user provisioning via Azure AD Connect
Description: Azure AD Connect automatically provisions new users and sends confirmation emails, which may be flagged as suspicious sign-in activity.
Filter/Exclusion: Exclude sign-ins from the Azure AD Connect service account or filter by userPrincipalName matching known provisioning accounts.
Scenario: System maintenance task triggering email alerts
Description: A system maintenance task (e.g., using Task Scheduler or cron) sends an email alert to the IT team when a scheduled job completes, which could be flagged as suspicious.
Filter/Exclusion: Exclude emails sent from a known maintenance account (e.g., [email protected]) or filter by the subject line containing “Maintenance Task Complete.”
Scenario: Admin task to reset user passwords via email
Description: An admin uses a password reset tool (e.g., Azure AD Password Reset) to send a password reset email to a user, which may trigger the rule due to the email activity.
Filter/Exclusion: Exclude emails sent from the Azure AD Password Reset service account or filter by the presence of a password reset token in the email body.
Scenario: Automated backup system sending status emails
Description: An automated backup system (e.g., Veeam, Acronis) sends status emails to the admin team, which may be flagged as suspicious sign-in activity