Phishing emails with an empty sender field are likely used to bypass email filtering and deliver malicious content to users’ inboxes. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential spear-phishing campaigns that evade standard detection mechanisms.
KQL Query
EmailEvents
| where EmailDirection == "Inbound"
| where SenderIPv4 startswith "27.121.5." //IP range in Japan observed in this phishing campaign
| where isempty(SenderFromAddress) and isempty(SenderDisplayName) and SenderMailFromAddress == "<>"
| where DeliveryAction != "Blocked"
id: c853b6d9-b33b-4172-8b18-e95e8d902e31
name: Empty Sender Phish Delivered to Inbox
description: |
This query detects delivered phishing emails where the Sender is empty based on recently observed campaigns.
description-detailed: |
This query detects delivered phishing emails where the Sender is empty based on recently observed campaigns. It can be used as a Continuous (NRT) Custom Detection Rule to trigger an automated action and delete the emails.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where EmailDirection == "Inbound"
| where SenderIPv4 startswith "27.121.5." //IP range in Japan observed in this phishing campaign
| where isempty(SenderFromAddress) and isempty(SenderDisplayName) and SenderMailFromAddress == "<>"
| where DeliveryAction != "Blocked"
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled Email Reports from SIEM Tool
Description: A legitimate scheduled job sends daily email reports from a SIEM tool like Splunk or IBM QRadar, which may have an empty sender field due to misconfiguration.
Filter/Exclusion: Exclude emails sent by the SIEM tool’s scheduled job (e.g., from: "[email protected]" or check for job_id in headers).
Scenario: Automated Test Emails from DevOps Pipeline
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) sends test emails to developers with an empty sender field during automated testing.
Filter/Exclusion: Exclude emails with a X-Test-Email header or from specific test domains (e.g., @dev-test.example.com).
Scenario: Email Notifications from Cloud Security Tools
Description: Cloud security tools like AWS WAF or Azure Security Center may send notifications with empty sender fields when triggering alerts.
Filter/Exclusion: Exclude emails from known security tool domains (e.g., @aws.com, @azure.com) or use a X-Alert-Source header to identify these emails.
Scenario: Internal Email Relay with Misconfigured SMTP
Description: An internal email relay server (e.g., Postfix, Exchange) may send emails with an empty sender field due to misconfigured SMTP settings.
Filter/Exclusion: Exclude emails originating from internal relay servers (e.g., from: "[email protected]" or check for X-Relayed-By header).
Scenario: Email Notifications from Monitoring Tools (e.g., Nagios, Prometheus)
Description: Monitoring tools like Nagios or Prometheus may send alerts with empty sender fields when configured improperly.
Filter/Exclusion: