← Back to SOC feed Coverage →

Top Domains Outbound with Emails with Threats Inbound (Partner BEC)

kql MEDIUM Azure-Sentinel
T1566
EmailEvents
huntingmicrosoftofficial
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-05-18T11:00:00Z · Confidence: medium

Hunt Hypothesis

This query visualises top outbound recipient domains by outbound email volume and shows total number of inbound emails with Threats from the same domains (as inbound senders)

KQL Query

EmailEvents
| where EmailDirection == "Outbound"
| project RecipientDomain = tostring(split(RecipientEmailAddress, "@")[1])
| summarize count() by RecipientDomain
| project OutboundCount=count_, RecipientDomain, SenderFromDomain=RecipientDomain
| join (EmailEvents | where EmailDirection == "Inbound" and isempty(ThreatTypes)==false) on SenderFromDomain
| summarize max(OutboundCount),count() by SenderFromDomain
| project SenderFromDomain, OutboundEmails=max_OutboundCount, IncomingEmailsWithThreats=count_
| sort by OutboundEmails

Analytic Rule Definition

id: 195d52f8-7669-444a-9021-f30c140cb9ac
name: Top Domains Outbound with Emails with Threats Inbound (Partner BEC)
description: |
  This query visualises top outbound recipient domains by outbound email volume and shows total number of inbound emails with Threats from the same domains (as inbound senders)
description-detailed: |
  This query visualises top outbound recipient domains by outbound email volume and shows total number of inbound emails with Threats from the same domains (as inbound senders)
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  EmailEvents
  | where EmailDirection == "Outbound"
  | project RecipientDomain = tostring(split(RecipientEmailAddress, "@")[1])
  | summarize count() by RecipientDomain
  | project OutboundCount=count_, RecipientDomain, SenderFromDomain=RecipientDomain
  | join (EmailEvents | where EmailDirection == "Inbound" and isempty(ThreatTypes)==false) on SenderFromDomain
  | summarize max(OutboundCount),count() by SenderFromDomain
  | project SenderFromDomain, OutboundEmails=max_OutboundCount, IncomingEmailsWithThreats=count_
  | sort by OutboundEmails
version: 1.0.0

Required Data Sources

Sentinel TableNotes
EmailEventsEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Spoof and Impersonation/Top Domains with BEC Threats inbound.yaml