A high percentage of inbound emails flagged as malicious may indicate an adversary leveraging email-based attacks to compromise organizational systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing or credential harvesting campaigns early.
KQL Query
EmailEvents
| where EmailDirection == "Inbound"
| summarize TotalEmailCount = count(),
BadEmailCount = countif(isnotempty(ThreatTypes)) by bin(Timestamp, 1d)
| extend Bad_Traffic_Percentage_Inbound = todouble(round(BadEmailCount / todouble(TotalEmailCount) * 100, 2))
| project Timestamp,Bad_Traffic_Percentage_Inbound
| render timechart
id: 2a662ac9-81de-4073-9374-45e3ebd5ae90
name: Bad email percentage of Inbound emails
description: |
This query visualises bad traffic (% of emails with threats) compared to total inbound emails over time summarising the data daily.
description-detailed: |
This query visualises bad traffic (% of emails with threats) compared to total inbound emails over time summarising the data daily.
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where EmailDirection == "Inbound"
| summarize TotalEmailCount = count(),
BadEmailCount = countif(isnotempty(ThreatTypes)) by bin(Timestamp, 1d)
| extend Bad_Traffic_Percentage_Inbound = todouble(round(BadEmailCount / todouble(TotalEmailCount) * 100, 2))
| project Timestamp,Bad_Traffic_Percentage_Inbound
| render timechart
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Daily Email Backup Job
Description: A scheduled backup job runs daily and sends a confirmation email to an admin address, which is flagged as “bad” due to the email content or sender.
Filter/Exclusion: Exclude emails sent by the backup system (e.g., sender = "[email protected]" or use a tool like Microsoft Exchange Online Protection (EOP) to tag backup emails as safe.
Scenario: Automated Test Emails from DevOps Tools
Description: A CI/CD pipeline (e.g., Jenkins, GitHub Actions) sends test emails to developers or QA teams, which are flagged due to the presence of suspicious headers or content.
Filter/Exclusion: Exclude emails from known test environments (e.g., sender = "[email protected]" or use Postfix or SendGrid to tag test emails with a specific header like X-Test-Email: true).
Scenario: User-Initiated Email Campaigns
Description: Marketing or sales teams run email campaigns using tools like Mailchimp or HubSpot, which may include links or content that trigger the rule’s threat detection logic.
Filter/Exclusion: Exclude emails from known marketing domains (e.g., from_domain = "mailchimp.com" or from_domain = "hubspot.com") using Microsoft Defender for Office 365 or Google Workspace Admin Console.
Scenario: Internal System Alerts via Email
Description: Internal systems (e.g., Splunk, ELK Stack, or Datadog) send alert emails to administrators, which are flagged due to the presence of error messages or system logs in the body.
Filter/Exclusion: Exclude emails from internal monitoring tools (e.g., `sender = “splunk