Email sender IP address Geo location information

Hunt Hypothesis

Emails originating from IP addresses with geolocation data mismatching the sender’s claimed location may indicate spoofing or impersonation attempts by adversaries. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential email-based attacks that evade standard detection mechanisms.

KQL Query

EmailEvents
| where geo_info_from_ip_address(SenderIPv4) != ""
| extend GeoIPInfo = geo_info_from_ip_address(SenderIPv4)
| extend country = tostring(parse_json(GeoIPInfo).country)

Analytic Rule Definition

id: 0d5ae69d-bdb2-404d-8c8c-50ebe68b6a5b
name: Email sender IP address Geo location information
description: |
  This query helps getting GeoIP information of emails SenderIPv4 addresses.
description-detailed: |
  This query helps getting GeoIP information of emails SenderIPv4 addresses. Country, State, City, Latitude, Longitude
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  EmailEvents
  | where geo_info_from_ip_address(SenderIPv4) != ""
  | extend GeoIPInfo = geo_info_from_ip_address(SenderIPv4)
  | extend country = tostring(parse_json(GeoIPInfo).country)
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`EmailEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/General/Email sender IP address Geo location information.yaml)

False Positive Guidance

Scenario: Internal Email Relay via SMTP Server
Description: A legitimate internal email relay server (e.g., Microsoft Exchange, Postfix) sends emails to external recipients, and the sender IP is the internal relay IP.
Filter/Exclusion: Exclude IP addresses associated with internal email servers (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or use a field like source_ip in SIEM to filter out known internal relay IPs.
Scenario: Scheduled Job Sending Reports via Email
Description: A scheduled job (e.g., using cron, Task Scheduler, or Airflow) sends automated reports via email to stakeholders, and the sender IP is the server’s public IP.
Filter/Exclusion: Exclude emails sent from known job scheduling tools or use a field like email_subject to filter out reports (e.g., Subject: Weekly Report).
Scenario: Email Sent from Cloud Email Service (e.g., Office 365, G Suite)
Description: Emails are sent from a cloud email service (e.g., Microsoft 365, Google Workspace), and the sender IP is the public IP of the cloud provider.
Filter/Exclusion: Exclude IPs from known cloud providers (e.g., 4.2.2.1 for Microsoft, 216.58.192.0/19 for Google) or use a field like email_from to filter out known cloud email domains.
Scenario: Email Sent via Third-Party Email Marketing Tool
Description: Emails are sent via a third-party email marketing platform (e.g., Mailchimp, SendGrid) and the sender IP is the