Adversaries may use external email addresses to send phishing emails, leveraging compromised or spoofed accounts to trick users into divulging sensitive information. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing campaigns early and mitigate associated risks.
KQL Query
EmailEvents
| where EmailDirection == "Inbound"
| where ThreatTypes has "Phish"
//| where SenderFromAddress !contains ".yourdomain.com"
| summarize count() by SenderFromAddress
| sort by count_ desc
| top 10 by count_
| render piechart
id: db9789ab-0636-4ea6-b779-1b72b4b64aac
name: Top 10 External Senders (Phish)
description: |
Identifies the top 10 external sender addresses delivering inbound emails classified as phishing.
If you want to exclude your own organization's domains (including subdomains), add a filter after the phishing filter, e.g.:
| where SenderFromAddress !contains ".yourdomain.com"
(Replace "yourdomain.com" with your actual domain.)
Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where EmailDirection == "Inbound"
| where ThreatTypes has "Phish"
//| where SenderFromAddress !contains ".yourdomain.com"
| summarize count() by SenderFromAddress
| sort by count_ desc
| top 10 by count_
| render piechart
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Legitimate Email Campaigns from Trusted Partners
Description: A trusted business partner sends a large volume of emails to your organization as part of a legitimate marketing or onboarding campaign. These emails may be misclassified as phishing due to similar sender patterns.
Filter/Exclusion: Add a filter to exclude sender domains from known trusted partners (e.g., from.domain.com), using a tool like Microsoft Defender for Office 365 or Cisco Secure Email Gateway. You can also use Exchange Online Protection (EOP) to create a safe sender list.
Scenario: Automated Email Notifications from SaaS Providers
Description: A SaaS provider (e.g., Salesforce, ServiceNow, or Zendesk) sends automated emails to your users, which may be flagged as phishing due to the sender’s external domain.
Filter/Exclusion: Use Microsoft Defender for Office 365 to create a safe sender list or safe domain list for the SaaS provider’s domain. Alternatively, use Exchange Online’s mail flow rules to bypass phishing detection for these domains.
Scenario: Internal User Testing with External Email Accounts
Description: An internal team uses external email accounts (e.g., for testing or development) to send emails to internal users, which may be flagged as phishing due to the external sender address.
Filter/Exclusion: Add a filter to exclude senders from specific external domains used for testing. Use Microsoft 365 Advanced Threat Protection (ATP) or Cisco Secure Email Gateway to create a blocked sender list or allowed sender list for these domains.
Scenario: Scheduled Reports from External Systems
Description: An external system (e.g., a CRM or analytics tool) sends scheduled reports to your organization, which may be flagged as phishing due to the