Adversaries may be using phishing emails to bypass security controls, leveraging detection technologies to identify and isolate malicious content. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover potential phishing campaigns and strengthen email security defenses.
KQL Query
EmailEvents
//| where OrgLevelPolicy != "Phishing simulation" and OrgLevelPolicy != "SecOps Mailbox"
| where ThreatTypes has 'Phish'
| project Timestamp, DT=parse_json(DetectionMethods)
| evaluate bag_unpack(DT)
| summarize count() by Phish=tostring(column_ifexists('Phish', ''))
| sort by count_ desc
| render piechart
id: c3a1fa22-8ccf-409e-80a5-78aa545bf77d
name: Phish Detections by Detection technology
description: |
This query visualises total emails with Phish detections summarizing the data by various Phish detection technologies/controls
description-detailed: |
This query visualises total emails with Phish detections summarizing the data by various Phish detection technologies/controls in Microsoft Defender for Office 365.
The comment in the query excludes deliveries to the SecOps Mailbox and by the Phish Simulation system. Remove the "//" to apply the exclusion.
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
//| where OrgLevelPolicy != "Phishing simulation" and OrgLevelPolicy != "SecOps Mailbox"
| where ThreatTypes has 'Phish'
| project Timestamp, DT=parse_json(DetectionMethods)
| evaluate bag_unpack(DT)
| summarize count() by Phish=tostring(column_ifexists('Phish', ''))
| sort by count_ desc
| render piechart
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Legitimate Phishing Simulation Campaigns
Description: Security teams may run phishing simulations to train employees, which can trigger phish detection rules.
Filter/Exclusion: Exclude emails sent from internal security testing domains (e.g., @security-training.example.com) or filter by sender IP ranges used for internal simulations.
Scenario: Automated System Health Checks via Email
Description: Scheduled jobs or system health checks may send emails with suspicious subject lines or content that trigger phish detection logic.
Filter/Exclusion: Exclude emails from known internal services (e.g., @system-health.example.com) or filter by sender email addresses associated with automated tasks.
Scenario: Admin Task Notifications with Attachments
Description: Administrators may receive emails with attachments (e.g., logs, reports) that are flagged by detection technologies due to file types or content.
Filter/Exclusion: Exclude emails from trusted admin roles (e.g., @admin.example.com) or filter by file types commonly used in administrative tasks (e.g., .log, .csv).
Scenario: User-Generated Emails with Embedded Links
Description: Employees may send emails with links to internal resources or external websites that are flagged by URL filtering technologies.
Filter/Exclusion: Exclude emails from users with elevated privileges or filter by domains that are known to be internal or whitelisted.
Scenario: False Positives from Third-Party Integration Tools
Description: Integration tools (e.g., Slack, Microsoft Teams, or third-party APIs) may send emails that are misclassified as phishing due to their content or structure.
Filter/Exclusion: Exclude emails from known integration services (e.g., @slack.com, @teams.microsoft.com) or filter by sender email domains associated with third-party tools.