Adversaries may use compromised email accounts to send spam by leveraging top spamming domains to bypass basic email filters and distribute malicious content. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control channels or phishing campaigns early.
KQL Query
//This query visualises total inbound emails with Spam detections summarizing the data by the top 15 email sender P2 domain (SenderFromDomain). Adding additional insights for total inbound emails and bad traffic percentage for each sender domain.
EmailEvents
| where EmailDirection == "Inbound"
| where Timestamp > ago(30d) // last 30 days by default, replace 30d with the desired period
| summarize TotalEmailCount = count(),
SpamEmailCount = countif(ThreatTypes has "Spam") by SenderFromDomain
| extend Bad_Traffic_Percentage_Inbound = todouble(round(SpamEmailCount / todouble(TotalEmailCount) * 100, 2))
| where SpamEmailCount !=0
| sort by SpamEmailCount desc
| project SenderFromDomain,SpamEmailCount,TotalEmailCount,Bad_Traffic_Percentage_Inbound
| top 15 by SpamEmailCount
id: 279a8fce-0c34-437a-a6ba-eff7be3b36a8
name: Email Top 15 Domains sending Spam with Additional Details
description: |
This query visualises total inbound emails with Spam detections summarizing the data by the top 15 email sender P2 domain (SenderFromDomain).
description-detailed: |
This query visualises total inbound emails with Spam detections summarizing the data by the top 15 email sender P2 domain (SenderFromDomain). Adding additional insights for total inbound emails and bad traffic percentage for each sender domain.
Taken from the the Microsoft Defender for Office 365 Detections and Insights - Microsoft Sentinel workbook.
https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//This query visualises total inbound emails with Spam detections summarizing the data by the top 15 email sender P2 domain (SenderFromDomain). Adding additional insights for total inbound emails and bad traffic percentage for each sender domain.
EmailEvents
| where EmailDirection == "Inbound"
| where Timestamp > ago(30d) // last 30 days by default, replace 30d with the desired period
| summarize TotalEmailCount = count(),
SpamEmailCount = countif(ThreatTypes has "Spam") by SenderFromDomain
| extend Bad_Traffic_Percentage_Inbound = todouble(round(SpamEmailCount / todouble(TotalEmailCount) * 100, 2))
| where SpamEmailCount !=0
| sort by SpamEmailCount desc
| project SenderFromDomain,SpamEmailCount,TotalEmailCount,Bad_Traffic_Percentage_Inbound
| top 15 by SpamEmailCount
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Internal Email Reporting Tool Sending Alerts
Description: A legitimate internal tool, such as Microsoft Exchange Online Protection (EOP) or Cisco Secure Email Gateway, may send outbound emails to internal reporting or monitoring systems (e.g., Splunk, SIEM, or SIEM dashboards) that are flagged as spam due to the presence of certain keywords or domains in the email headers.
Filter/Exclusion: Exclude emails where the SenderFromDomain matches internal reporting domains (e.g., internal.reporting.example.com, splunk.example.com) or where the email is generated by an internal monitoring tool (e.g., [email protected]).
Scenario: Scheduled Job Sending Configuration Emails
Description: A scheduled job, such as AWS SES or Azure SendGrid, may send configuration or status update emails to internal administrators or support teams, which could be misclassified as spam due to the use of common spam-like headers or domains.
Filter/Exclusion: Exclude emails sent from known job or service accounts (e.g., [email protected], [email protected]) or where the SenderFromDomain is a trusted internal domain (e.g., internal-services.example.com).
Scenario: Email Verification Service Sending Test Emails
Description: An email verification service like Hunter.io or Clearbit may send test emails to verify email validity, which could be flagged as spam due to the use of temporary or test domains.
Filter/Exclusion: Exclude emails where the SenderFromDomain is a known verification or test domain (e.g., verify.hunter.io, test.clearbit.com) or where the email subject contains keywords like “test”, “verify”, or “validation”.
**Scenario: User-