Adversaries may bypass email filtering by exploiting admin overrides to deliver phishing or spam emails to user inboxes. SOC teams should proactively hunt for this behavior to identify and mitigate potential credential theft or malware delivery vectors in their Azure Sentinel environment.
KQL Query
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
let baseQuery = EmailEvents
| where Timestamp >= TimeStart
| where ConfidenceLevel != "" and OrgLevelPolicy!="" and OrgLevelAction == "Allow" and DeliveryAction == "Delivered";
let spam=baseQuery
| where ThreatTypes has 'Spam'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Allowed Spam";
let phish=baseQuery
| where ThreatTypes has 'Phish'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Allowed Phish";
union spam,phish
| project Count, Details, Timestamp
| render timechart
id: 0e37c1a4-86cd-4641-a514-28a431824369
name: Spam and Phish allowed to inbox by Admin Overrides
description: |
This query helps in reviewing malicious emails allowed due to admin overrides
description-detailed: |
This query helps in reviewing malicious emails allowed due to admin defined detection overrides in Defender for Office 365
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
let baseQuery = EmailEvents
| where Timestamp >= TimeStart
| where ConfidenceLevel != "" and OrgLevelPolicy!="" and OrgLevelAction == "Allow" and DeliveryAction == "Delivered";
let spam=baseQuery
| where ThreatTypes has 'Spam'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Allowed Spam";
let phish=baseQuery
| where ThreatTypes has 'Phish'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Allowed Phish";
union spam,phish
| project Count, Details, Timestamp
| render timechart
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Admin manually moves a legitimate email from the spam folder to the inbox using Microsoft Exchange Online’s “Move to Inbox” feature
Filter/Exclusion: subject:*"Move to Inbox"* OR from:*"[email protected]"* AND to:*"[email protected]"*
Scenario: A scheduled job (e.g., Power Automate or Azure Logic Apps) is configured to send automated reports to the admin’s inbox, which is mistakenly flagged as spam
Filter/Exclusion: from:*"[email protected]"* OR subject:*"Scheduled Report"*
Scenario: An IT admin uses Microsoft Outlook Web Access (OWA) to manually add a trusted sender to the Safe Senders list, which results in an email being delivered to the inbox
Filter/Exclusion: from:*"[email protected]"* AND subject:*"Add to Safe Senders"*
Scenario: A third-party service (e.g., ServiceNow or Zendesk) sends a confirmation email to an admin, which is allowed through an admin override
Filter/Exclusion: from:*"[email protected]"* OR subject:*"Confirmation Email"*
Scenario: A system administrator uses Exchange PowerShell to run a bulk move request to move emails from the spam folder to the inbox
Filter/Exclusion: subject:*"Bulk Move Request"* OR from:*"[email protected]"* AND to:*"[email protected]"*