Adversaries may be using new domains to mimic legitimate email replies, bypassing traditional email validation checks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing or spoofing attempts that evade standard detection mechanisms.
KQL Query
let emailDelivered = EmailEvents
| where Timestamp < ago(4hrs)
and DeliveryAction == "Delivered"
| extend Pair = strcat(SenderMailFromAddress,"|",RecipientEmailAddress)
| distinct Pair;
let EmailDomains = EmailEvents
| where Timestamp < ago(4hrs)
and DeliveryAction == "Delivered"
| distinct SenderFromDomain;
EmailEvents
| where Timestamp >= ago(4hrs)
| where DeliveryLocation != "Quarantine"
and EmailDirection == "Inbound"
and OrgLevelAction != "Block"
and UserLevelAction != "Block"
| extend NewMsg = case(Subject contains "RE:", false, Subject contains "FW:", false, true )
| project Pair = strcat(SenderMailFromAddress,"|",RecipientEmailAddress), NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject
| join kind=leftouter ( emailDelivered ) on Pair
| order by SenderMailFromAddress
| where NewMsg == false
and Pair1 == ""
| join kind=leftouter (EmailDomains) on SenderFromDomain
| where SenderFromDomain1 == ""
| distinct Pair, NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject
id: da7b973a-0045-4fd6-9161-269369336d24
name: Mail reply to new domain
description: |
This query helps reviewing mail that is likely a reply but there is no history of the people chatting and the domain is new
description-detailed: |
This query helps reviewing mail that is likely a reply but there is no history of the people chatting and the domain is new
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let emailDelivered = EmailEvents
| where Timestamp < ago(4hrs)
and DeliveryAction == "Delivered"
| extend Pair = strcat(SenderMailFromAddress,"|",RecipientEmailAddress)
| distinct Pair;
let EmailDomains = EmailEvents
| where Timestamp < ago(4hrs)
and DeliveryAction == "Delivered"
| distinct SenderFromDomain;
EmailEvents
| where Timestamp >= ago(4hrs)
| where DeliveryLocation != "Quarantine"
and EmailDirection == "Inbound"
and OrgLevelAction != "Block"
and UserLevelAction != "Block"
| extend NewMsg = case(Subject contains "RE:", false, Subject contains "FW:", false, true )
| project Pair = strcat(SenderMailFromAddress,"|",RecipientEmailAddress), NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject
| join kind=leftouter ( emailDelivered ) on Pair
| order by SenderMailFromAddress
| where NewMsg == false
and Pair1 == ""
| join kind=leftouter (EmailDomains) on SenderFromDomain
| where SenderFromDomain1 == ""
| distinct Pair, NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Automated Email Response from a Service Provider
Description: A legitimate email service (e.g., Zendesk, Freshdesk) sends an automated reply to a customer support inquiry, and the reply includes a new domain associated with the service.
Filter/Exclusion: Check the From header against known service email domains (e.g., @zendesk.com, @freshdesk.com) using a regex or IP whitelisting in SIEM tools like Splunk or ELK.
Scenario: Scheduled Job Sending Out Bulk Emails
Description: A scheduled job (e.g., using cron, Airflow, or a marketing tool like Mailchimp) sends out a batch of emails to a list of users, and one of the replies includes a new domain.
Filter/Exclusion: Use the Subject field to identify bulk emails (e.g., “Weekly Newsletter” or “Order Confirmation”) and exclude messages with specific headers like X-Scheduled-Task: true or X-Mailer: Mailchimp.
Scenario: Internal Collaboration Tool Integration
Description: An internal collaboration tool (e.g., Microsoft Teams, Slack) sends a reply via email to a user, and the email includes a new domain used for internal services (e.g., @internal.company.com).
Filter/Exclusion: Filter emails based on the To or CC fields to include only internal email addresses, or use a custom field in email headers like X-Internal-Reply: true to mark legitimate internal replies.
Scenario: User Reply to a Support Ticket with a New Domain
Description: A user replies to a support ticket (e.g., via a ticketing system like Jira or ServiceNow) and includes a new domain in their reply, which triggers the rule.
Filter/Exclusion: Use the `Message