Spam detection by IP and its location

Hunt Hypothesis

Adversaries may use compromised IP addresses to send spam emails, leveraging geographic location data to bypass basic filtering mechanisms. SOC teams should proactively hunt for this behavior to identify potential spam campaigns and mitigate reputational and operational risks in their Azure Sentinel environment.

KQL Query

//This query visualises total emails with Spam detections summarizing the data by email sender IP address (SenderIPv4, SenderIPv6).
let ipv4position = EmailEvents
| where ThreatTypes has "Spam" 
| where TimeGenerated > ago(90d) // last 30 days by default, replace 30d with the desired period
| where SenderIPv4 != ""
| summarize count() by SenderIPv4
| extend GeoInfo = geo_info_from_ip_address(SenderIPv4)
| extend Latitude = tostring(GeoInfo.latitude), Longitude = tostring(GeoInfo.longitude)
| project SenderIPv4, Latitude, Longitude, count_;
let ipv6position = EmailEvents
| where ThreatTypes has "Spam" 
| where TimeGenerated > ago(90d) // last 30 days by default, replace 30d with the desired period
| where SenderIPv6 != ""
| summarize count() by SenderIPv6
| extend GeoInfo = geo_info_from_ip_address(SenderIPv6)
| extend Latitude = tostring(GeoInfo.latitude), Longitude = tostring(GeoInfo.longitude)
| project SenderIPv6, Latitude, Longitude, count_;
ipv4position
| union ipv6position
| project SenderIPv6, SenderIPv4, Latitude, Longitude, count_;

Analytic Rule Definition

id: fc2a1197-7ad5-43e3-83f1-0ecd5ada41ca
name: Spam detection by IP and its location
description: |
  This query visualises total emails with Spam detections summarizing the data by email sender IP address (SenderIPv4, SenderIPv6).
description-detailed: |
  This query returns total emails with Spam detections summarizing the data by email sender IP address (SenderIPv4, SenderIPv6) and its geoagraphical position in Microsoft Defender for Office 365.
  To build a graphical map please consider exporting to CSV and use tools like Power BI, Excel, or custom dashboards to plot the data on a map. 
  Taken from the the Microsoft Defender for Office 365 Detections and Insights - Microsoft Sentinel workbook.
  https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  //This query visualises total emails with Spam detections summarizing the data by email sender IP address (SenderIPv4, SenderIPv6).
  let ipv4position = EmailEvents
  | where ThreatTypes has "Spam" 
  | where TimeGenerated > ago(90d) // last 30 days by default, replace 30d with the desired period
  | where SenderIPv4 != ""
  | summarize count() by SenderIPv4
  | extend GeoInfo = geo_info_from_ip_address(SenderIPv4)
  | extend Latitude = tostring(GeoInfo.latitude), Longitude = tostring(GeoInfo.longitude)
  | project SenderIPv4, Latitude, Longitude, count_;
  let ipv6position = EmailEvents
  | where ThreatTypes has "Spam" 
  | where TimeGenerated > ago(90d) // last 30 days by default, replace 30d with the desired period
  | where SenderIPv6 != ""
  | summarize count() by SenderIPv6
  | extend GeoInfo = geo_info_from_ip_address(SenderIPv6)
  | extend Latitude = tostring(GeoInfo.latitude), Longitude = tostring(GeoInfo.longitude)
  | project SenderIPv6, Latitude, Longitude, count_;
  ipv4position
  | union ipv6position
  | project SenderIPv6, SenderIPv4, Latitude, Longitude, count_;
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`EmailEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Spam/Spam Detection IP and Geo Position.yaml)

False Positive Guidance

Scenario: Legitimate Email Server Sending to Internal Users
Description: A company’s internal email server (e.g., Microsoft Exchange or Google Workspace) sends emails to internal users using its own IP address.
Filter/Exclusion: Exclude IP addresses associated with internal email servers (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or use a field like source_ip to filter out known internal ranges.
Scenario: Scheduled Job Sending Automated Emails
Description: A scheduled job (e.g., Jenkins, Airflow, or a custom script) sends automated emails (e.g., reports, notifications) to users.
Filter/Exclusion: Exclude emails sent from known job scheduling tools by checking the message_id or subject field, or use a job_id field to identify legitimate automated traffic.
Scenario: Cloud Provider IP Address (e.g., AWS, Azure, GCP)
Description: Emails are sent from cloud provider IP ranges (e.g., AWS EC2, Azure VMs, or GCP instances) that are used for legitimate business operations.
Filter/Exclusion: Exclude IP ranges from major cloud providers using a cloud_ip_range list or a field like cloud_provider to identify legitimate cloud traffic.
Scenario: Email Bounce Messages or Delivery Reports
Description: The system generates bounce messages or delivery reports (e.g., using Postfix, Sendmail, or Exchange) that appear as spam due to their content or headers.
Filter/Exclusion: Exclude messages with specific headers like X-Original-To, X-Envelope-To, or X-Message-ID that indicate bounce or delivery reports.
**Scenario