Adversaries may use personalized email subjects containing recent keywords to increase the likelihood of successful phishing engagement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate targeted spear-phishing campaigns that leverage contextual data to evade traditional detection methods.
KQL Query
EmailEvents
| where Timestamp > ago(1d)
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| where isempty(SenderObjectId)
| extend words = split(Subject," ")
| project firstLastWord = tostring(words[-1]), secondLastWord = tostring(words[-2]), thirdLastWord = tostring(words[-3]), Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId
| summarize SubjectsCount = dcount(Subject), RecipientsCount = dcount(RecipientEmailAddress), suspiciousEmails = make_set(NetworkMessageId, 10) by firstLastWord, secondLastWord, thirdLastWord, SenderFromAddress
| where SubjectsCount >= 10
id: 54d3455d-27e0-4ceb-99f9-375abd620151
name: Personalized campaigns based on the last few keywords
description: |
In this detection, we track emails with personalized subjects.
description-detailed: |
In this detection, we track emails with personalized subjects using Defender for Office 365 data. To detect personalized subjects, we track campaigns where last three words of the subject are the same, but the other values are personalized/unique.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(1d)
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| where isempty(SenderObjectId)
| extend words = split(Subject," ")
| project firstLastWord = tostring(words[-1]), secondLastWord = tostring(words[-2]), thirdLastWord = tostring(words[-3]), Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId
| summarize SubjectsCount = dcount(Subject), RecipientsCount = dcount(RecipientEmailAddress), suspiciousEmails = make_set(NetworkMessageId, 10) by firstLastWord, secondLastWord, thirdLastWord, SenderFromAddress
| where SubjectsCount >= 10
version: 1.0.0 | Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled Email Reports Generated by a Reporting Tool
Description: A legitimate scheduled job runs a report using a tool like Tableau, Power BI, or Salesforce Reports, which sends an email with a subject line containing personalized keywords like “Report for [User Name]”.
Filter/Exclusion: Exclude emails sent by known reporting tools or scheduled jobs (e.g., sender = "[email protected]" or subject contains "Report for").
Scenario: Automated Password Reset Emails
Description: A password reset email is sent by an identity management system like Microsoft Azure AD, Okta, or OneLogin, which includes personalized keywords such as “[User Name] Password Reset”.
Filter/Exclusion: Exclude emails sent by identity providers (e.g., sender contains "auth@" or subject contains "Password Reset").
Scenario: System-Wide Notifications from a Monitoring Tool
Description: A monitoring tool like Nagios, Zabbix, or Datadog sends a notification email with a subject line that includes personalized keywords like “[Hostname] is down” or “[User] Alert”.
Filter/Exclusion: Exclude emails from monitoring tools (e.g., sender contains "nagios@" or subject contains "[Hostname]").
Scenario: User-Specific Email Templates for Internal Announcements
Description: An internal team uses a tool like Microsoft 365 or Gmail with Google Workspace to send personalized emails to users with dynamic subject lines, such as “Your [Project Name] Update”.
Filter/Exclusion: Exclude emails sent by internal teams using templated messages (e.g., sender contains "internal-announcements@" or subject contains "Your [Project Name]").
**Scenario: Automated Email