Adversaries may use domain-based email directionality to exfiltrate data or establish command and control channels by leveraging compromised email accounts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data exfiltration attempts hidden within email traffic.
KQL Query
EmailEvents
| where Timestamp > ago(30d)
| extend domain = substring(RecipientEmailAddress, indexof(RecipientEmailAddress, "@")+1)
| summarize total=count() by EmailDirection, domain, bin(Timestamp, 1d)
| order by Timestamp asc
id: 6b478186-da3b-4d71-beaa-aa5b42908499
name: Mailflow by directionality
description: |
This query helps reviewing inbound / outbound / intra-org emails by domain per day
description-detailed: |
This query helps reviewing inbound / outbound / intra-org emails by domain per day
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| extend domain = substring(RecipientEmailAddress, indexof(RecipientEmailAddress, "@")+1)
| summarize total=count() by EmailDirection, domain, bin(Timestamp, 1d)
| order by Timestamp asc
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled Email Reports from SIEM Tool
Description: A SIEM tool like Splunk or ELK Stack generates daily email reports that are sent to the security team. These emails are legitimate and part of the normal operations.
Filter/Exclusion: Exclude emails sent from the SIEM tool’s admin email address or filter by the “Report” subject line or specific sender domain (e.g., splunk.com or elkstack.local).
Scenario: Automated Backup Email Notifications
Description: A backup system like Veeam or Commvault sends automated email notifications to administrators about backup jobs. These emails are routine and not malicious.
Filter/Exclusion: Exclude emails with specific subject lines (e.g., “Backup Job Status”) or from the backup system’s email domain (e.g., veeam.com or commvault.com).
Scenario: Intra-Organizational Email Traffic Between Departments
Description: Employees within the same organization frequently send emails between departments, which may be flagged due to the domain being internal.
Filter/Exclusion: Exclude emails where both sender and recipient domains are within the same organization (e.g., internal.domain.com for both sender and recipient).
Scenario: Cron Job or Scheduled Task Email Alerts
Description: A cron job or scheduled task (e.g., using cron on Linux or Task Scheduler on Windows) sends email alerts for system monitoring or log analysis.
Filter/Exclusion: Exclude emails sent from the system’s default alert email address (e.g., root@localhost or [email protected]) or filter by specific alert keywords.
Scenario: Email Notifications from Cloud Security Tools
Description: Cloud security tools like Cloudflare, Azure Security Center, or AWS WAF send email notifications about security events or configuration changes.