Adversaries may be using spam campaigns to distribute malicious content, leveraging email as a vector for initial compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential phishing or malware distribution efforts early.
KQL Query
//This query visualises total emails with Spam detections over time summarizing the data daily.
EmailEvents
| where ThreatTypes has "Spam"
| make-series Count = count() default = 0 on Timestamp step 1d
// | render timechart // Uncomment this line to render as a graph
id: 2b373bca-b491-4b2f-906e-6f42eeab01a1
name: Spam detection trend
description: |
This query visualises total emails with Spam detections over time summarizing the data daily
description-detailed: |
This query visualises total emails with Spam detections over time summarizing the data daily in Microsoft Defender for Office 365. Visualize with chart type "Line".
Taken from the the Microsoft Defender for Office 365 Detections and Insights - Microsoft Sentinel workbook.
https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//This query visualises total emails with Spam detections over time summarizing the data daily.
EmailEvents
| where ThreatTypes has "Spam"
| make-series Count = count() default = 0 on Timestamp step 1d
// | render timechart // Uncomment this line to render as a graph
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Daily system health check email sent by the email security gateway
Filter/Exclusion: Exclude emails sent by the email security gateway (e.g., Cisco Secure Email Gateway, Microsoft Defender for Office 365) with a known “system health” or “status report” subject line.
Scenario: Automated report from the SIEM tool (e.g., Splunk, IBM QRadar) sent to the security team
Filter/Exclusion: Exclude emails with a sender domain matching the SIEM tool’s admin domain and containing keywords like “report”, “summary”, or “daily log”.
Scenario: Scheduled backup job notification email from the backup system (e.g., Veeam, Commvault)
Filter/Exclusion: Exclude emails from the backup system’s admin email address or domain, and filter by subject line containing “backup”, “job status”, or “scheduled task”.
Scenario: Internal team communication tool (e.g., Microsoft Teams, Slack) notification email
Filter/Exclusion: Exclude emails from internal communication tools by checking the sender’s email domain (e.g., @teams.microsoft.com, @slack.com) or by filtering emails with specific subject lines like “Meeting reminder” or “Channel activity”.
Scenario: Email confirmation for a scheduled admin task (e.g., Windows Task Scheduler, Ansible playbook execution)
Filter/Exclusion: Exclude emails sent by the task scheduler or automation tool (e.g., @task-scheduler.com, @ansible.com) and filter by subject line containing “task completed”, “job executed”, or “confirmation”.