Adversaries may use admin email submissions to mask malicious activity by leveraging trusted sender domains, which can help evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential false positives that could be used as a cover for more sophisticated attacks.
KQL Query
CloudAppEvents
| where ActionType == "AdminSubmissionSubmitted"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),P2SenderDomain=tostring((parse_json(RawEventData)).P2SenderDomain)
| where SubmissionContentType == "Mail" and SubmissionType =="3"
| summarize count() by P2SenderDomain
| project P2SenderDomain, Emails = count_
| top 10 by Emails desc
id: c438f85f-4527-4358-a3b6-fe6a6ff7a202
name: Top 10 sender domains - Admin email submissions (FP)
description: |
This query visualises emails submitted by admins as false positives, summarizing the data by top 10 sender domains of those emails
description-detailed: |
This query visualises emails submitted by admins as false positives, summarizing the data by top 10 sender domains of those emails
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "AdminSubmissionSubmitted"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),P2SenderDomain=tostring((parse_json(RawEventData)).P2SenderDomain)
| where SubmissionContentType == "Mail" and SubmissionType =="3"
| summarize count() by P2SenderDomain
| project P2SenderDomain, Emails = count_
| top 10 by Emails desc
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Admin submits a phishing email for testing during a security awareness training exercise.
Filter/Exclusion: Add a field like email_subject containing “Phishing Test” or “Security Training” to exclude these submissions.
Scenario: A scheduled job runs daily to send system health reports via email, and the sender domain is flagged.
Filter/Exclusion: Exclude emails where the email_from field matches the domain of the system monitoring tool (e.g., [email protected]).
Scenario: An admin uses a third-party email client (e.g., Microsoft Outlook) to send internal emails, and the sender domain is misidentified.
Filter/Exclusion: Exclude emails where the email_client field is “Microsoft Outlook” or “Outlook Web App”.
Scenario: A backup job sends a notification email to the admin team after completing a scheduled backup, and the sender domain is flagged.
Filter/Exclusion: Exclude emails where the email_subject contains “Backup Completed” or “Backup Notification”.
Scenario: An admin uses a service account (e.g., [email protected]) to send automated emails for user onboarding.
Filter/Exclusion: Exclude emails where the email_from field matches the service account domain or includes a specific service identifier like “[email protected]”.