Emails sent from non-prevalent senders may indicate impersonation attempts by adversaries seeking to bypass user trust. SOC teams should proactively hunt for these patterns in Azure Sentinel to identify potential spear-phishing or account compromise activities early.
KQL Query
let PhishingSenderDisplayNames = ()
{
pack_array("IT", "support", "Payroll", "HR", "admin", "2FA", "notification", "sign", "reminder", "consent", "workplace",
"administrator", "administration", "benefits", "employee", "update", "on behalf");
};
let suspiciousEmails = EmailEvents
| where Timestamp > ago(1d)
| where isnotempty(RecipientObjectId)
| where isnotempty(SenderFromAddress)
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| join kind=inner (EmailAttachmentInfo
| where Timestamp > ago(1d)
| where isempty(SenderObjectId)
| where FileType has_any ("png", "jpg", "jpeg", "bmp", "gif")
) on NetworkMessageId
| where SenderDisplayName has_any (PhishingSenderDisplayNames())
| project Timestamp, Subject, FileName, SenderFromDomain, RecipientObjectId, NetworkMessageId;
let suspiciousSenders = suspiciousEmails | distinct SenderFromDomain;
let prevalentSenders = materialize(EmailEvents
| where Timestamp between (ago(7d) .. ago(1d))
| where isnotempty(RecipientObjectId)
| where isnotempty(SenderFromAddress)
| where SenderFromDomain in (suspiciousSenders)
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| distinct SenderFromDomain);
suspiciousEmails
| where SenderFromDomain !in (prevalentSenders)
| project Timestamp, Subject, FileName, SenderFromDomain, RecipientObjectId, NetworkMessageId
id: 68aa199c-259b-4bb0-8e7a-8ed6f96c5525
name: Hunting for sender patterns
description: |
In this detection approach, we correlate email from non-prevalent senders in the organization with impersonation intents
description-detailed: |
In this detection approach, we correlate email from non-prevalent senders in the organization with impersonation intents using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailAttachmentInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let PhishingSenderDisplayNames = ()
{
pack_array("IT", "support", "Payroll", "HR", "admin", "2FA", "notification", "sign", "reminder", "consent", "workplace",
"administrator", "administration", "benefits", "employee", "update", "on behalf");
};
let suspiciousEmails = EmailEvents
| where Timestamp > ago(1d)
| where isnotempty(RecipientObjectId)
| where isnotempty(SenderFromAddress)
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| join kind=inner (EmailAttachmentInfo
| where Timestamp > ago(1d)
| where isempty(SenderObjectId)
| where FileType has_any ("png", "jpg", "jpeg", "bmp", "gif")
) on NetworkMessageId
| where SenderDisplayName has_any (PhishingSenderDisplayNames())
| project Timestamp, Subject, FileName, SenderFromDomain, RecipientObjectId, NetworkMessageId;
let suspiciousSenders = suspiciousEmails | distinct SenderFromDomain;
let prevalentSenders = materialize(EmailEvents
| where Timestamp between (ago(7d) .. ago(1d))
| where isnotempty(RecipientObjectId)
| where isnotempty(SenderFromAddress)
| where SenderFromDomain in (suspiciousSenders)
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| distinct SenderFromDomain);
suspiciousEmails
| where SenderFromDomain !in (prevalentSenders)
| project Timestamp, Subject, FileName, SenderFromDomain, RecipientObjectId, NetworkMessageId
version: 1.0.0 | Sentinel Table | Notes |
|---|---|
EmailAttachmentInfo | Ensure this data connector is enabled |
EmailEvents | Ensure this data connector is enabled |
Scenario: A system administrator sends a large volume of emails using a script to notify users about scheduled maintenance or updates.
Filter/Exclusion: Exclude emails sent from the admin’s email account during specific maintenance windows using the sender_email field and a time-based filter (e.g., email_time >= '2025-04-01T08:00:00' AND email_time <= '2025-04-01T18:00:00').
Scenario: A user runs a scheduled job that generates a large number of emails for report distribution (e.g., using Power Automate or ServiceNow workflows).
Filter/Exclusion: Exclude emails sent from known automation tools by checking the email_subject field for keywords like “Report” or “Distribution” and using the tool_used field to identify automation platforms.
Scenario: A developer uses a third-party email API (e.g., SendGrid, Mailgun) to send test emails to internal users during development.
Filter/Exclusion: Exclude emails sent from known third-party APIs by checking the email_header for X-Sender or X-Mailer fields that identify the API service.
Scenario: A user receives a legitimate email from an external partner that includes a large attachment (e.g., a backup file or log archive) and forwards it internally.
Filter/Exclusion: Exclude emails with large attachments by checking the email_size field and filtering out emails where email_size > 10MB or using a file_type filter for known archive formats.
Scenario: A security team member sends a phishing simulation email to test employee awareness, which is then forwarded internally.
Filter/Exclusion: Exclude emails sent from the security team’s email account using the