Adversaries may be using compromised domains to send bulk emails as part of a phishing or spam campaign, leveraging the domain’s reputation to bypass email filters. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential credential theft or malware distribution vectors.
KQL Query
//This query visualises total inbound emails which has any Bulk complaint level. It is summarizing the data by the various Bulk Complaint levels and SenderFromDomain of the email sender. It provides insights how many messages are detected with each Bulk Complaint level for each sender domain.
EmailEvents
| where EmailDirection == "Inbound" and BulkComplaintLevel !=""
| where Timestamp > ago(30d) // last 30 days by default, replace 30d with the desired period
| summarize count() by BulkComplaintLevel, SenderFromDomain
| sort by count_ desc
| project SenderFromDomain,BulkComplaintLevel,Emails=count_
| take 10
id: fc3e5da4-9a8d-4f2f-b714-7118bc00b5d8
name: Top 10 domains sending Bulk email
description: |
This query visualises total inbound emails which has any Bulk complaint level.
description-detailed: |
This query visualises total inbound emails which has any Bulk complaint level. It is summarizing the data by the various Bulk Complaint levels and SenderFromDomain of the email sender. It provides insights how many messages are detected with each Bulk Complaint level for each sender domain in Microsoft Defender for Office 365.
Taken from the the Microsoft Defender for Office 365 Detections and Insights - Microsoft Sentinel workbook.
https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//This query visualises total inbound emails which has any Bulk complaint level. It is summarizing the data by the various Bulk Complaint levels and SenderFromDomain of the email sender. It provides insights how many messages are detected with each Bulk Complaint level for each sender domain.
EmailEvents
| where EmailDirection == "Inbound" and BulkComplaintLevel !=""
| where Timestamp > ago(30d) // last 30 days by default, replace 30d with the desired period
| summarize count() by BulkComplaintLevel, SenderFromDomain
| sort by count_ desc
| project SenderFromDomain,BulkComplaintLevel,Emails=count_
| take 10
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: A system administrator uses Microsoft Exchange Online to send out scheduled PowerShell scripts that generate bulk emails for internal announcements.
Filter/Exclusion: Exclude emails sent from the “[email protected]” email address or filter by sender IP address associated with the internal Exchange server.
Scenario: A scheduled job in AWS SES (Simple Email Service) is configured to send out daily reports to multiple users within the organization.
Filter/Exclusion: Exclude emails sent to internal domains (e.g., @company.com) or filter by sender domain using the sender_domain field.
Scenario: A third-party SaaS tool (e.g., HubSpot or Salesforce) sends outbound emails to customers as part of its standard operations.
Filter/Exclusion: Exclude emails originating from known third-party email domains (e.g., @hubspot.com, @salesforce.com) or use a whitelist of approved domains.
Scenario: An email marketing platform (e.g., Mailchimp) is used to send out newsletters to a large customer list.
Filter/Exclusion: Exclude emails sent from the email marketing service provider’s domain or filter by subject line containing keywords like “newsletter” or “update”.
Scenario: A system health check or log alert is configured to send emails to the IT operations team when certain thresholds are met.
Filter/Exclusion: Exclude emails sent from the IT operations email address or filter by email subject line containing terms like “alert”, “check”, or “health”.