Top 10% of most attacked users

Hunt Hypothesis

The hypothesis is that adversaries are targeting high-value users to gain persistent access and exfiltrate sensitive data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term compromises before significant damage occurs.

KQL Query

let topTargeted = toscalar( EmailEvents 
| where DetectionMethods != "" 
| summarize total=count() by RecipientEmailAddress 
| summarize percentiles(total,90)); 
EmailEvents 
| where DetectionMethods != "" 
| summarize total=count() by RecipientEmailAddress 
| where total >= topTargeted 
| order by total desc

Analytic Rule Definition

id: e3b7b5c1-0e50-4dfb-b73a-c226636eaf58
name: Top 10% of most attacked users
description: |
  This query helps reviewing the list of top 10% of most attacked users
description-detailed: |
  This query helps reviewing the list of top 10% of most attacked users using Defender for Office 365 data.
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  let topTargeted = toscalar( EmailEvents 
  | where DetectionMethods != "" 
  | summarize total=count() by RecipientEmailAddress 
  | summarize percentiles(total,90)); 
  EmailEvents 
  | where DetectionMethods != "" 
  | summarize total=count() by RecipientEmailAddress 
  | where total >= topTargeted 
  | order by total desc
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`EmailEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Top Attacks/Top 10 percent of most attacked users.yaml)

False Positive Guidance

Scenario: A system administrator is performing a scheduled backup of user data using Veeam Backup & Replication.
Filter/Exclusion: Exclude events related to Veeam or backup processes using the process.name field.
Scenario: A security analyst is manually reviewing user activity logs via Splunk for a security incident investigation.
Filter/Exclusion: Exclude events where the user.role is security_analyst or where the tool field is Splunk.
Scenario: A daily Active Directory replication job is running between domain controllers using Replication Manager.
Filter/Exclusion: Exclude events with source or destination as domain controllers and process.name containing replication.
Scenario: A Windows Update task is being executed across the enterprise using Group Policy.
Filter/Exclusion: Exclude events where process.name is wuauclt.exe or event_id is related to Windows Update.
Scenario: A log aggregation and normalization task is running using ELK Stack (Elasticsearch, Logstash, Kibana).
Filter/Exclusion: Exclude events where the tool field is logstash or elasticsearch, or where the event_type is log_normalization.