User Email Submissions (FN) - Top Detection Overrides by Admins

Hunt Hypothesis

Adversaries may be bypassing detection by exploiting admin-defined policy overrides to submit malicious emails as false negatives, indicating potential evasion of existing security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential adversary attempts to circumvent email security measures.

KQL Query

CloudAppEvents 
| where ActionType == "UserSubmission"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType), RecipientObjectId=AccountObjectId
| extend User_SubmissionType=
iff(SubmissionType == "1" and ActionType == "UserSubmission" and SubmissionContentType=="Mail","User_Phish_FN",
iff(SubmissionType == "0" and ActionType == "UserSubmission" and SubmissionContentType=="Mail","User_Spam_FN","Other")),
NetworkMessageId=tostring((parse_json(RawEventData).ObjectId))
| where SubmissionContentType == "Mail" and SubmissionType in ("1","0")
| join EmailEvents on NetworkMessageId, RecipientObjectId
| where ThreatTypes !=""and OrgLevelAction!=""
| summarize count() by OrgLevelAction, OrgLevelPolicy,ThreatTypes,User_SubmissionType
| project OrgLevelAction, OrgLevelPolicy,ThreatTypes,User_SubmissionType, UserSubmissions = count_
| top 10 by UserSubmissions desc

Analytic Rule Definition

id: a52e4273-cf3c-4125-b03d-41b99f64197f
name: User Email Submissions (FN) - Top Detection Overrides by Admins
description: |
  This query visualises emails submitted as false negatives by users where emails were already detected by MDO but there was an admin definded policy override
description-detailed: |
  This query visualises emails submitted as false negatives by users where emails were already detected by MDO but there was an admin definded (tenant-level) policy override
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
  - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  CloudAppEvents 
  | where ActionType == "UserSubmission"
  | extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType), RecipientObjectId=AccountObjectId
  | extend User_SubmissionType=
  iff(SubmissionType == "1" and ActionType == "UserSubmission" and SubmissionContentType=="Mail","User_Phish_FN",
  iff(SubmissionType == "0" and ActionType == "UserSubmission" and SubmissionContentType=="Mail","User_Spam_FN","Other")),
  NetworkMessageId=tostring((parse_json(RawEventData).ObjectId))
  | where SubmissionContentType == "Mail" and SubmissionType in ("1","0")
  | join EmailEvents on NetworkMessageId, RecipientObjectId
  | where ThreatTypes !=""and OrgLevelAction!=""
  | summarize count() by OrgLevelAction, OrgLevelPolicy,ThreatTypes,User_SubmissionType
  | project OrgLevelAction, OrgLevelPolicy,ThreatTypes,User_SubmissionType, UserSubmissions = count_
  | top 10 by UserSubmissions desc
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`CloudAppEvents`	Ensure this data connector is enabled
`EmailEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Submissions/User Submissions - Top detection overrides by Admins.yaml)

False Positive Guidance

Scenario: Scheduled Email Archival Job
Description: A scheduled job runs daily to archive old user emails to a compliance storage system, which may trigger the rule due to email submissions.
Filter/Exclusion: Add a filter for email_subject LIKE '%Archive%' or email_sender = '[email protected]' to exclude archival jobs.
Scenario: Admin-Defined Email Whitelist Policy
Description: An admin manually overrides the detection rule for specific email domains or users to allow legitimate email submissions (e.g., for internal communication tools like Microsoft Teams or Slack).
Filter/Exclusion: Exclude emails from domains listed in the allowed_email_domains admin policy or filter by user_email IN (allowed_users).
Scenario: Automated Email Reporting Tool
Description: A tool like Splunk or ELK Stack is configured to send automated reports via email, which may be flagged as false negatives.
Filter/Exclusion: Filter out emails sent from the reporting tool’s email address (e.g., [email protected]) or use a regex to match report subject lines.
Scenario: User-Submitted Email for Support Ticketing
Description: Users submit emails to a support team via a ticketing system (e.g., Zendesk or ServiceNow) which may be misclassified as false negatives.
Filter/Exclusion: Exclude emails sent to support email addresses (e.g., [email protected]) or filter by email_to = '[email protected]'.
Scenario: Email Notifications from Security Tools
Description: Security tools like CrowdStrike or SentinelOne may send email notifications to administrators, which could be flagged by the rule.
Filter/Exclusion: Exclude emails from known security tool email