Adversaries may exploit admin override permissions to bypass email filtering policies and exfiltrate data or deliver malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential abuse of administrative privileges and mitigate advanced phishing or malware delivery tactics.
KQL Query
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
EmailEvents
| where OrgLevelPolicy != "" and OrgLevelAction == "Allow" // and OrgLevelPolicy != "SecOps Mailbox" // Remove to filter SecOps mailbox
| make-series Count= count() on Timestamp from TimeStart to TimeEnd step 1d by OrgLevelPolicy
| render timechart
id: 85000725-df05-479e-8cfd-78310b659714
name: Total Emails with Admin Overrides (Allow)
description: |
This query visualises the total amount of emails subject to an admin policy with action of allow, independent of action taken, summarizing the data by type of override
description-detailed: |
This query visualises the total amount of emails subject to an admin policy with action of allow, independent of action taken, summarizing the data by type of override
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
EmailEvents
| where OrgLevelPolicy != "" and OrgLevelAction == "Allow" // and OrgLevelPolicy != "SecOps Mailbox" // Remove to filter SecOps mailbox
| make-series Count= count() on Timestamp from TimeStart to TimeEnd step 1d by OrgLevelPolicy
| render timechart
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled Email Archiving Job
Description: A scheduled job runs daily to archive old emails using an admin override to bypass retention policies.
Filter/Exclusion: Exclude emails with subject containing “Archive” or job_name matching “DailyEmailArchiveJob” using a tool like Splunk or ELK Stack.
Scenario: User-Initiated Email Approval Process
Description: A user submits an email for approval through an internal portal, which triggers an admin override to allow the email to be sent.
Filter/Exclusion: Exclude emails where the source is an internal approval tool (e.g., ServiceNow or Jira) or where the action is explicitly “approval” in the system logs.
Scenario: System-Generated Notification Emails
Description: Automated systems send out notification emails (e.g., password reset, account lockout) that are allowed via admin override due to their critical nature.
Filter/Exclusion: Exclude emails with from address matching internal system emails (e.g., [email protected]) or where the subject contains keywords like “Password Reset” or “Account Lockout”.
Scenario: Admin Override for Compliance Audit Emails
Description: An admin manually overrides policies to allow emails sent as part of a compliance audit or regulatory reporting.
Filter/Exclusion: Exclude emails with subject containing “Compliance Audit” or “Regulatory Report” and where the sender is an admin account (e.g., [email protected]).
Scenario: Email Forwarding Rule with Admin Override
Description: A user has a forwarding rule configured in their email client that uses an admin override to forward emails to another internal system.
Filter/Exclusion: Exclude emails where the `forward_to