Adversaries may be targeting specific high-value users through spam to deliver phishing payloads or initial access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise of critical accounts.
KQL Query
//This query visualises total inbound emails with Spam detections summarizing the data by the top 15 recipient email address (RecipientEmailAddress).
EmailEvents
| where ThreatTypes has "Spam" and EmailDirection =="Inbound"
| where Timestamp > ago(90d) // last 30 days by default, replace 30d with the desired period
| summarize count() by RecipientEmailAddress
| sort by count_ desc
| take 15
| project RecipientEmailAddress,Emails=count_
id: 3e33ce02-b74e-49cc-899d-0a1eb3128ee3
name: Email Top 15 Targeted Users (Spam) with Additional Details
description: |
This query visualises top 15 users targeted with Spam with summarized spam detections.
description-detailed: |
This query visualises total inbound emails with Spam detections summarizing the data by the top 15 recipient email address (RecipientEmailAddress).
Taken from the the Microsoft Defender for Office 365 Detections and Insights - Microsoft Sentinel workbook.
https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//This query visualises total inbound emails with Spam detections summarizing the data by the top 15 recipient email address (RecipientEmailAddress).
EmailEvents
| where ThreatTypes has "Spam" and EmailDirection =="Inbound"
| where Timestamp > ago(90d) // last 30 days by default, replace 30d with the desired period
| summarize count() by RecipientEmailAddress
| sort by count_ desc
| take 15
| project RecipientEmailAddress,Emails=count_
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled Email Backup Job
Description: A scheduled job runs daily to send backup emails to a central archive server. These emails are legitimate but may be flagged due to the high volume or specific headers.
Filter/Exclusion: Exclude emails sent by the backup tool (tool_name = "BackupTool_v2") or filter by destination IP (dest_ip = "192.168.1.100").
Scenario: Admin Password Reset Emails
Description: System administrators frequently receive password reset emails from the internal identity provider (e.g., Okta, Azure AD). These emails are legitimate but may be flagged as spam due to their content or frequency.
Filter/Exclusion: Exclude emails with subject lines containing “Password Reset” or filter by sender domain (sender_domain = "internal.auth.example.com").
Scenario: Marketing Email Campaigns
Description: Marketing teams send bulk emails to a large group of users, which may be misclassified as spam due to the high volume or use of certain keywords.
Filter/Exclusion: Exclude emails sent by the marketing tool (tool_name = "MarketingCloud") or filter by sender email address (sender_email = "[email protected]").
Scenario: User-Initiated Email Forwarding
Description: Users may forward emails to multiple recipients, which can trigger the rule due to the number of recipients or the email content.
Filter/Exclusion: Exclude emails where the sender is a user with the “forwarding” privilege (user_role = "power_user") or filter by email size (email_size < 1MB).
Scenario: System Alert Emails from SIEM
Description: Security Information and Event Management (SIEM) tools like Splunk or IBM QRadar may send alert emails to administrators, which could be flagged