Adversaries may use compromised outbound recipient domains to send phishing emails containing malicious payloads, leveraging trusted domains to bypass email security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control channels or phishing campaigns early.
KQL Query
EmailEvents
| where EmailDirection == "Outbound"
| project RecipientDomain = tostring(split(RecipientEmailAddress, "@")[1])
| summarize count() by RecipientDomain
| project OutboundCount=count_, RecipientDomain, SenderFromDomain=RecipientDomain
| join (EmailEvents | where EmailDirection == "Inbound" and isempty(ThreatTypes)==false) on SenderFromDomain
| summarize max(OutboundCount),count() by SenderFromDomain
| project SenderFromDomain, OutboundEmails=max_OutboundCount, IncomingEmailsWithThreats=count_
| sort by OutboundEmails
id: 61bd29e8-fcfa-4f10-bc8f-b3a64e9493f7
name: Top outbound recipient domains sending inbound emails with threats
description: |
This query helps hunting for top outbound recipient domains which are sending inbound emails with threats
description-detailed: |
This query helps hunting for top outbound recipient domains which are sending inbound emails with threats.
Top outbound recipient domains by volume and number of inbound emails from the same domains as senders with threats.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where EmailDirection == "Outbound"
| project RecipientDomain = tostring(split(RecipientEmailAddress, "@")[1])
| summarize count() by RecipientDomain
| project OutboundCount=count_, RecipientDomain, SenderFromDomain=RecipientDomain
| join (EmailEvents | where EmailDirection == "Inbound" and isempty(ThreatTypes)==false) on SenderFromDomain
| summarize max(OutboundCount),count() by SenderFromDomain
| project SenderFromDomain, OutboundEmails=max_OutboundCount, IncomingEmailsWithThreats=count_
| sort by OutboundEmails
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Legitimate email forwarding between departments
Description: A user in the IT department forwards emails to the finance department using a legitimate internal domain.
Filter/Exclusion: Exclude emails where the sender and recipient are within the same domain and the email is part of a known internal forwarding workflow (e.g., using Microsoft Exchange’s ForwardedFrom header or X-MS-Exchange-Organization-ForwardedFrom header).
Scenario: Scheduled job sending reports to a third-party service
Description: A scheduled job (e.g., using Ansible or a cron job) sends daily reports to a third-party analytics service (e.g., Splunk or Datadog).
Filter/Exclusion: Exclude emails sent from known automation tools or scheduled jobs (e.g., using X-MS-Exchange-Organization-Message-Id or X-MS-Exchange-Organization-Source headers to identify automated workflows).
Scenario: Email notifications from a SIEM or SOAR tool
Description: A SIEM (e.g., Splunk) or SOAR (e.g., Palo Alto Prisma Access) sends alerts or notifications to an internal email address.
Filter/Exclusion: Exclude emails sent from known SIEM/SOAR tools by checking the From header or using a custom field like X-Siem-Alert or X-SOAR-Notification.
Scenario: Internal user sharing files via email with a cloud storage link
Description: A user shares a file via email by embedding a cloud storage link (e.g., Google Drive or OneDrive), which may be flagged as a potential threat.
Filter/Exclusion: Exclude emails containing links to internal cloud storage (e.g., using X-MS-Exchange-Organization-Cloud-Storage or checking the domain against a