Malicious emails detected per day

Hunt Hypothesis

This query helps reviewing Malware, Phishing, Spam emails caught per day

KQL Query

EmailEvents
| where DetectionMethods != "" 
| extend detection= parse_json(DetectionMethods) 
| extend Spam = tostring(detection.Spam) 
| extend Phish = tostring(detection.Phish) 
| extend Malware = tostring(detection.Malware) 
| where Spam != '' or Phish != '' or Malware != '' 
| extend detection = case( 
    Malware != "", 'Malware', 
    Phish != "", 'Phish', 
    'Spam') 
| summarize total=count() by detection, bin(Timestamp, 1d) 
| order by Timestamp asc

Analytic Rule Definition

id: da932998-81dd-4be4-963c-f4890cb4192e
name: Malicious emails detected per day
description: |
  This query helps reviewing Malware, Phishing, Spam emails caught per day
description-detailed: |
  This query helps reviewing Malware, Phishing, Spam emails caught per day in Defender for Office 365
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  EmailEvents
  | where DetectionMethods != "" 
  | extend detection= parse_json(DetectionMethods) 
  | extend Spam = tostring(detection.Spam) 
  | extend Phish = tostring(detection.Phish) 
  | extend Malware = tostring(detection.Malware) 
  | where Spam != '' or Phish != '' or Malware != '' 
  | extend detection = case( 
      Malware != "", 'Malware', 
      Phish != "", 'Phish', 
      'Spam') 
  | summarize total=count() by detection, bin(Timestamp, 1d) 
  | order by Timestamp asc
version: 1.0.0

Required Data Sources

False Positive Guidance

• Scenario: Scheduled system health reports sent via email
  Description: Automated tools like Microsoft System Center or third

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Mailflow/Malicious emails detected per day.yaml)