Adversaries may be using top sender domains to distribute malware, phishing, or spam emails to compromise users and exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential credential theft and network infiltration attempts.
KQL Query
EmailEvents
| where EmailDirection == "Inbound"
| where ThreatTypes has_any ("Malware", "Phish", "Spam")
// Uncomment the line below to exclude your own organization's domains (including subdomains)
// | where SenderFromDomain !contains ".yourdomain.com"
| summarize count() by SenderFromDomain
| sort by count_ desc
| top 10 by count_
| render piechart
id: af183f01-6d98-4fca-8ca4-63577b78a26e
name: Top 10 Domains sending Malicious Emails (Malware+Phish+Spam)
description: |
Identifies the top 10 sender domains delivering inbound emails classified as malware, phishing, or spam.
Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where EmailDirection == "Inbound"
| where ThreatTypes has_any ("Malware", "Phish", "Spam")
// Uncomment the line below to exclude your own organization's domains (including subdomains)
// | where SenderFromDomain !contains ".yourdomain.com"
| summarize count() by SenderFromDomain
| sort by count_ desc
| top 10 by count_
| render piechart
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled email archiving or migration jobs
Description: Automated tools like Microsoft Purview Archiving or Exchange Online Migration Wizard may send emails from a domain (e.g., archive.corporate.com) to archive or migrate data. These emails are often classified as spam or phishing due to their content or headers.
Filter/Exclusion: Exclude domains associated with Microsoft Purview or Exchange Online Migration using a sender domain exclusion list in Defender for Office 365 or Microsoft 365 Defender.
Scenario: Internal email reporting or analytics tools
Description: Tools like Microsoft 365 Usage Reports, Power BI dashboards, or Power Automate workflows may send emails from a domain (e.g., reports.corporate.com) to internal users with alerts or summaries. These emails can be flagged as phishing or spam.
Filter/Exclusion: Exclude domains used by Power BI, Power Automate, or Microsoft 365 Usage Reports using a sender domain exclusion list in Microsoft 365 Defender.
Scenario: Third-party service notifications
Description: Notifications from Microsoft Teams, Azure AD, or Intune (e.g., teams.microsoft.com, admin.microsoft.com) may be flagged as phishing or spam due to their content or sender domain.
Filter/Exclusion: Exclude domains like teams.microsoft.com, admin.microsoft.com, and intune.microsoft.com using sender domain exclusion rules in Microsoft 365 Defender.
Scenario: Automated email testing or security validation
Description: Security tools like Microsoft Defender for Office 365 or Microsoft Defender for Endpoint may send test emails from a domain (e