Adversaries may use spam detection technologies to bypass email filtering and deliver malicious payloads, indicating potential phishing or malware distribution attempts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage phishing campaigns that evade standard detection controls.
KQL Query
//This query visualises total emails with Spam detections summarizing the data by various Spam detection technologies/controls in Microsoft Defender for Office 365.
EmailEvents
| where DetectionMethods has 'Spam'
| where Timestamp > ago(30d) // last 30 days by default, replace 30d with the desired period
| project Timestamp, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) | summarize count() by Spam=tostring(column_ifexists('Spam', ''))
| sort by count_
// | render piechart // Uncomment this line to render as a graph
id: 366ce22d-74c1-4acd-8050-f5c6061eb6d1
name: Spam detection technologies
description: |
This query visualises total emails with Spam detections summarizing the data by various Spam detection technologies/controls.
description-detailed: |
This query visualises total emails with Spam detections summarizing the data by various Spam detection technologies/controls in Microsoft Defender for Office 365. Visualize with chart type "Piechart".
Taken from the the Microsoft Defender for Office 365 Detections and Insights - Microsoft Sentinel workbook.
https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//This query visualises total emails with Spam detections summarizing the data by various Spam detection technologies/controls in Microsoft Defender for Office 365.
EmailEvents
| where DetectionMethods has 'Spam'
| where Timestamp > ago(30d) // last 30 days by default, replace 30d with the desired period
| project Timestamp, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) | summarize count() by Spam=tostring(column_ifexists('Spam', ''))
| sort by count_
// | render piechart // Uncomment this line to render as a graph
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled email backup jobs using Microsoft Exchange Online Protection (EOP)
Filter/Exclusion: Exclude emails sent to or from the “backup” or “archive” mailboxes, or filter by sender IP associated with internal backup systems.
Scenario: Postfix mail server performing internal email relaying between departments
Filter/Exclusion: Exclude emails with “relay” in the subject or body, or filter by source and destination IP ranges used for internal relaying.
Scenario: Cisco IronPort or Microsoft Defender for Office 365 performing spam filtering on inbound emails
Filter/Exclusion: Exclude emails flagged by spam filtering engines using specific headers like X-Spam-Status or X-MS-Exchange-Organization-Message-Id.
Scenario: Admin task to send a test email for SPF/DKIM/DMARC validation
Filter/Exclusion: Exclude emails with “test” or “validation” in the subject line, or filter by specific sender email addresses used for testing.
Scenario: Automated email archiving using Symantec Enterprise Vault or Microsoft Exchange Archiving
Filter/Exclusion: Exclude emails with “archive” or “backup” in the subject, or filter by specific mailbox or user groups known for archiving activities.