Adversaries may override email blocking policies to exfiltrate data or communicate covertly, leveraging user privileges to bypass standard security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential insider threats or sophisticated phishing attempts that evade automated detection.
KQL Query
EmailEvents
| where UserLevelPolicy != "" and UserLevelAction == "Block"
| make-series TotalUserOverrides = count() default = 0 on Timestamp step 1d
// | render columnchart // Uncomment this line to render as a graph
id: 295ac28c-919c-48b9-8a38-a0f792f2b92b
name: Total Emails with User Overrides (Block)
description: |
This query visualises the amount of emails subject to a user type policy with action of block, summarizing the data daily
description-detailed: |
This query visualises the amount of emails subject to a user type policy with action of block, summarizing the data daily
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where UserLevelPolicy != "" and UserLevelAction == "Block"
| make-series TotalUserOverrides = count() default = 0 on Timestamp step 1d
// | render columnchart // Uncomment this line to render as a graph
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled Email Archiving Job
Description: A daily scheduled job runs to archive old emails to a compliance storage system, which may trigger the rule if the archived emails are subject to a block policy.
Filter/Exclusion: Exclude emails where the message_id matches the archiving job’s known archive log entries or filter by source_ip associated with the archiving service (e.g., Microsoft Exchange Archiving Service).
Scenario: User-Initiated Email Override for Reporting Purposes
Description: A user manually overrides the block policy to send an email to a compliance officer for internal reporting, which is a legitimate administrative task.
Filter/Exclusion: Exclude emails where the sender is a known compliance or admin user (e.g., [email protected]) or where the subject contains keywords like “reporting” or “compliance review”.
Scenario: Automated Email Notification from a Third-Party Service
Description: A third-party service (e.g., ServiceNow, Jira, or Salesforce) sends automated emails to users, which may be blocked by the policy due to their source or content.
Filter/Exclusion: Exclude emails where the source_ip is from a known third-party service IP range or where the sender domain is whitelisted (e.g., service-now.com, salesforce.com).
Scenario: Emails Sent by a System User for Internal Automation
Description: A system user (e.g., [email protected]) sends emails as part of an automated workflow (e.g., sending reminders or notifications), which may be flagged due to the user type policy.
Filter/Exclusion: Exclude emails where the sender is a system user or where the from_email matches a predefined list of system accounts.