Top 10 Detection Overrides - Admin Email Submissions (FN)

Hunt Hypothesis

Adversaries may be bypassing detection by overriding admin email submissions that were already identified as false negatives, indicating potential tampering with detection policies. SOC teams should proactively hunt for this behavior to identify possible evasion tactics and ensure detection rules remain effective against evolving threats.

KQL Query

CloudAppEvents
| where ActionType == "AdminSubmissionSubmitted"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType)
| extend Admin_SubmissionType=
iff(SubmissionType == "2" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail","Admin_Malware_FN",
iff(SubmissionType == "1" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail","Admin_Phish_FN",
iff(SubmissionType == "0" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail","Admin_Spam_FN","Other"))),
P2SenderDomain=tostring((parse_json(RawEventData)).P2SenderDomain),NetworkMessageId=tostring((parse_json(RawEventData).ObjectId)),DetectionVerdict=tostring((parse_json(RawEventData)).DeliveryMessageInfo.FinalFilterVerdict),PolicyOverride=tostring((parse_json(RawEventData)).DeliveryMessageInfo.PolicyOverride),PolicyPolicyOverrideType=tostring((parse_json(RawEventData)).DeliveryMessageInfo.PolicySource)
| where SubmissionContentType == "Mail" and SubmissionType in ("2","1","0") and PolicyOverride !="NoOverride"
| summarize count() by PolicyOverride, PolicyPolicyOverrideType,DetectionVerdict,Admin_SubmissionType
| project PolicyOverride, PolicyPolicyOverrideType,DetectionVerdict,Admin_SubmissionType, Emails = count_
| top 10 by Emails desc

Analytic Rule Definition

id: 286d115b-7ddb-4422-81d6-711fedae3a92
name: Top 10 Detection Overrides - Admin Email Submissions (FN)
description: |
  This query visualises emails submitted as false negatives by admins where emails where already detected by MDO but there was an admin policy override
description-detailed: |
  This query visualises emails submitted as false negatives by admins where emails where already detected by MDO but there was an admin policy override
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  CloudAppEvents
  | where ActionType == "AdminSubmissionSubmitted"
  | extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType)
  | extend Admin_SubmissionType=
  iff(SubmissionType == "2" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail","Admin_Malware_FN",
  iff(SubmissionType == "1" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail","Admin_Phish_FN",
  iff(SubmissionType == "0" and ActionType == "AdminSubmissionSubmitted" and SubmissionContentType=="Mail","Admin_Spam_FN","Other"))),
  P2SenderDomain=tostring((parse_json(RawEventData)).P2SenderDomain),NetworkMessageId=tostring((parse_json(RawEventData).ObjectId)),DetectionVerdict=tostring((parse_json(RawEventData)).DeliveryMessageInfo.FinalFilterVerdict),PolicyOverride=tostring((parse_json(RawEventData)).DeliveryMessageInfo.PolicyOverride),PolicyPolicyOverrideType=tostring((parse_json(RawEventData)).DeliveryMessageInfo.PolicySource)
  | where SubmissionContentType == "Mail" and SubmissionType in ("2","1","0") and PolicyOverride !="NoOverride"
  | summarize count() by PolicyOverride, PolicyPolicyOverrideType,DetectionVerdict,Admin_SubmissionType
  | project PolicyOverride, PolicyPolicyOverrideType,DetectionVerdict,Admin_SubmissionType, Emails = count_
  | top 10 by Emails desc
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`CloudAppEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Submissions/Top Detection Overrides - Admin Submissions.yaml)

False Positive Guidance

Scenario: Scheduled Email Archiving Job
Description: A scheduled job runs nightly to archive old emails to a compliance storage system, which may trigger the rule due to email submission activity.
Filter/Exclusion: email_subject:*Archive* OR email_to:*[email protected]*
Scenario: Admin Manual Email Submission for Incident Review
Description: An admin manually submits an email for review during an incident investigation, which is flagged as a false negative override.
Filter/Exclusion: email_subject:*Incident Review* AND email_from:*[email protected]*
Scenario: Email Submission via SIEM Integration for Alert Correlation
Description: The SOC team uses a SIEM (e.g., Splunk, QRadar) to correlate alerts and submits emails as part of the correlation process.
Filter/Exclusion: source:*SIEM* OR tool:*Splunk* AND action:*correlation*
Scenario: Email Submission for False Negative Override in MDO
Description: An admin overrides a detection in the Microsoft Defender for Office 365 (MDO) and submits the email for further analysis, which is logged by the system.
Filter/Exclusion: tool:*Microsoft Defender for Office 365* AND action:*override*
Scenario: Email Submission via API for Automated Response
Description: An automated response tool (e.g., Phantom, SOAR) submits emails to the detection system as part of a playbook to handle known threats.
Filter/Exclusion: tool:*Phantom* OR tool:*SOAR* AND action:*playbook*