Adversaries may use personalized email subjects to increase the likelihood of recipients engaging with malicious content, leveraging early keywords to tailor phishing attempts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate targeted spear-phishing campaigns before they lead to credential compromise or data exfiltration.
KQL Query
EmailEvents
| where Timestamp > ago(1d)
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| where isempty(SenderObjectId)
| extend words = split(Subject," ")
| project firstWord = tostring(words[0]), secondWord = tostring(words[1]), thirdWord = tostring(words[2]), Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId
| summarize SubjectsCount = dcount(Subject), RecipientsCount = dcount(RecipientEmailAddress), suspiciousEmails = make_set(NetworkMessageId, 10) by firstWord, secondWord, thirdWord, SenderFromAddress
| where SubjectsCount >= 10
id: dc7e1eb5-16f5-4ad5-96a1-794970f4b310
name: Personalized campaigns based on the first few keywords
description: |
In this detection, we track emails with personalized subjects.
description-detailed: |
In this detection, we track emails with personalized subjects using Defender for Office 365 data. To detect personalized subjects, we track campaigns where the first three words of the subject are the same, but the other values are personalized/unique.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(1d)
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| where isempty(SenderObjectId)
| extend words = split(Subject," ")
| project firstWord = tostring(words[0]), secondWord = tostring(words[1]), thirdWord = tostring(words[2]), Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId
| summarize SubjectsCount = dcount(Subject), RecipientsCount = dcount(RecipientEmailAddress), suspiciousEmails = make_set(NetworkMessageId, 10) by firstWord, secondWord, thirdWord, SenderFromAddress
| where SubjectsCount >= 10
version: 1.0.0 | Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: A marketing team uses a tool like HubSpot or Salesforce Marketing Cloud to send personalized email campaigns. These emails include dynamic content based on user data, such as first name or product preferences, which may trigger the rule due to the presence of personalized keywords in the subject line.
Filter/Exclusion: Exclude emails originating from known marketing platforms by checking the from field against a list of marketing tool domains (e.g., @hubspot.com, @salesforce.com) or by using a custom field like campaign_type = "marketing".
Scenario: A scheduled job in Microsoft Exchange Online or Google Workspace generates automated emails with personalized subjects for user onboarding or password reset. These emails often include placeholders like [First Name] or [Company Name], which can be mistaken for personalized campaigns.
Filter/Exclusion: Filter emails where the subject contains known placeholders (e.g., $$First Name$$, $$Company Name$$) or check the message_id against a list of known automated email IDs.
Scenario: System administrators use Power Automate or ServiceNow to send automated notifications to users about system updates, maintenance, or security alerts. These emails may include personalized details like user names or department names, which could trigger the detection rule.
Filter/Exclusion: Exclude emails sent from admin tools by checking the from field against known admin email domains (e.g., @service-now.com, @powerautomate.com) or by using a tag like is_admin_notification = true.
Scenario: IT helpdesk tools like Zendesk or Freshdesk send personalized support emails with user-specific details, such as ticket numbers or user names. These emails often include dynamic content that matches the rule’s criteria for personalized subjects.
**Filter