Top External Sender domains - Phish

Hunt Hypothesis

Top external sender domains identified in Teams messages may indicate phishing attempts leveraging trusted domains to bypass user vigilance. SOC teams should proactively hunt for this behavior to detect and mitigate potential phishing campaigns targeting Azure Sentinel users.

KQL Query

//Top External Sender domains sending Teams message with Phish threats
MessageEvents
| where IsExternalThread==1 and IsOwnedThread==0
| where ThreatTypes contains "Phish"
| extend SenderDomain = tostring(split(SenderEmailAddress, "@")[1])
| summarize count() by SenderDomain

Analytic Rule Definition

id: e4a64b44-ec9a-4787-9f7a-75ff5394b928
name: Top External Sender domains - Phish
description: |
  Top External Sender domains sending Teams message with Phish threats
description-detailed: |
  This query helps hunt for Top External Sender domains sending Teams message with Phish threats, using Microsoft Defender for Office 365 and Advance hunting in Microsoft Defender XDR
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - MessageEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  //Top External Sender domains sending Teams message with Phish threats
  MessageEvents
  | where IsExternalThread==1 and IsOwnedThread==0
  | where ThreatTypes contains "Phish"
  | extend SenderDomain = tostring(split(SenderEmailAddress, "@")[1])
  | summarize count() by SenderDomain
version: 1.0.0

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Microsoft Teams protection/Top External Sender domains - Phish.yaml)

False Positive Guidance

• Scenario: Scheduled Job Sending Phish-Like Notifications
  Description: A scheduled job (e.g., Microsoft Teams Compliance Sync or third-party reporting tool) sends automated messages to users with subject lines containing “Phish” or “Security Alert” as part of routine compliance checks.
  Filter/Exclusion: Exclude messages from known compliance tools or scheduled jobs using the sender field with values like [email protected] or [email protected].

• Scenario: Admin Task for User Training
  Description: An admin sends a Teams message to a group of users as part of a phishing awareness training exercise, using a subject line that includes the word “Phish” to simulate a real attack.
  Filter/Exclusion: Exclude messages sent from admin accounts (e.g., [email protected]) or from groups with specific roles like [email protected].

• Scenario: Automated Alert from Microsoft Defender for Office 365
  Description: Microsoft Defender for Office 365 triggers an alert and sends a Teams message to the security team with a subject line containing “Phish” to notify of a potential threat.
  Filter/Exclusion: Exclude messages from the Microsoft Defender for Office 365 service using the sender field or by checking the message source or alert type metadata.

• Scenario: Internal Tool for Threat Intelligence Sharing
  Description: An internal threat intelligence tool (e.g., Microsoft Sentinel or a custom SIEM) sends a Teams message to the security team with a subject line containing “Phish” to share new threat indicators.
  Filter/Exclusion: Exclude messages from internal tools using the sender field or by checking the tool_id or source_system field in the message metadata.

• **Scenario: User-Generated Message with “Phish”