Adversaries may be using compromised email accounts to send phishing emails by leveraging top domains as sender sources to bypass email filtering. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing campaigns and mitigate lateral movement risks.
KQL Query
EmailEvents
//| where OrgLevelPolicy != "Phishing simulation" and OrgLevelPolicy != "SecOps Mailbox"
| where ThreatTypes has "Phish" and EmailDirection == "Inbound"
| summarize count() by SenderFromDomain
| sort by count_
| top 15 by count_
//| render columnchart // Uncomment to display as a column graph
//| render piechart // Uncomment to display as a piechart
id: 0b014a34-413b-43ae-9d80-b617fad1fd5b
name: Email Top Domains sending Phish
description: |
This query visualises total inbound emails with Phish detections summarizing the data by the top email sender P2 domain (SenderFromDomain).
description-detailed: |
This query visualises total inbound emails with Phish detections summarizing the data by the top email sender P2 domain (SenderFromDomain).
The comment in the query excludes deliveries to the SecOps Mailbox and by the Phish Simulation system. Remove the "//" to apply the exclusion.
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
//| where OrgLevelPolicy != "Phishing simulation" and OrgLevelPolicy != "SecOps Mailbox"
| where ThreatTypes has "Phish" and EmailDirection == "Inbound"
| summarize count() by SenderFromDomain
| sort by count_
| top 15 by count_
//| render columnchart // Uncomment to display as a column graph
//| render piechart // Uncomment to display as a piechart
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Internal System Health Check Emails
Description: Automated system health checks or monitoring tools (e.g., Nagios, Zabbix, or SolarWinds) send periodic emails to administrators from a domain like internal.monitoring.example.com.
Filter/Exclusion: Exclude emails from domains associated with internal monitoring tools or add a filter for SenderFromDomain containing internal.monitoring or similar.
Scenario: Scheduled Job Notifications from Email Server
Description: Scheduled jobs (e.g., cron jobs, Task Scheduler, or Jenkins) may send email notifications from the email server’s domain (e.g., mail.example.com) to alert admins of job status.
Filter/Exclusion: Exclude emails where the SenderFromDomain matches the internal email server domain or add a filter for SenderFromDomain equal to mail.example.com.
Scenario: Phishing Simulation Emails from Security Team
Description: The security team may send phishing simulation emails (e.g., using tools like PhishSim or Mimecast) from a controlled domain (e.g., phishsim.example.com) to test employee awareness.
Filter/Exclusion: Exclude emails where the SenderFromDomain matches the phishing simulation domain or add a filter for SenderFromDomain containing phishsim.
Scenario: Email Aliases for Internal Users
Description: Internal users may use email aliases (e.g., [email protected] for [email protected]) which can appear as external domains in logs.
Filter/Exclusion: Exclude emails where the SenderFromDomain matches internal domains or add a filter for SenderFromDomain in a list of known internal domains.
Scenario: Third-Party Service Provider Emails
Description: Legitimate third-party services (e.g., AWS, Microsoft 36