User Email Submissions (FN) - Top Detection Overrides by Users

Hunt Hypothesis

Adversaries may be bypassing email detection controls by overriding policies, allowing malicious emails to slip through undetected. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential evasion tactics and reinforce email security defenses.

KQL Query

CloudAppEvents 
| where ActionType == "UserSubmission"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType), RecipientObjectId=AccountObjectId
| extend User_SubmissionType=
iff(SubmissionType == "1" and ActionType == "UserSubmission" and SubmissionContentType=="Mail","User_Phish_FN",
iff(SubmissionType == "0" and ActionType == "UserSubmission" and SubmissionContentType=="Mail","User_Spam_FN","Other")),
NetworkMessageId=tostring((parse_json(RawEventData).ObjectId))
| where SubmissionContentType == "Mail" and SubmissionType in ("1","0")
| join EmailEvents on NetworkMessageId, RecipientObjectId
| where ThreatTypes !=""and UserLevelAction!=""
| summarize count() by UserLevelAction, UserLevelPolicy,ThreatTypes,User_SubmissionType
| project UserLevelAction, UserLevelPolicy,ThreatTypes,User_SubmissionType, UserSubmissions = count_
| top 10 by UserSubmissions desc

Analytic Rule Definition

id: 764c0e82-33af-4694-a552-b2de24d1d477
name: User Email Submissions (FN) - Top Detection Overrides by Users
description: |
  This query visualises emails submitted as false negatives by users where emails were already detected by MDO but there was a policy override.
description-detailed: |
  This query visualises emails submitted as false negatives by users where emails were already detected by MDO but there was a policy override configured by the end-user (mailbox-level).
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
  - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  CloudAppEvents 
  | where ActionType == "UserSubmission"
  | extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType), RecipientObjectId=AccountObjectId
  | extend User_SubmissionType=
  iff(SubmissionType == "1" and ActionType == "UserSubmission" and SubmissionContentType=="Mail","User_Phish_FN",
  iff(SubmissionType == "0" and ActionType == "UserSubmission" and SubmissionContentType=="Mail","User_Spam_FN","Other")),
  NetworkMessageId=tostring((parse_json(RawEventData).ObjectId))
  | where SubmissionContentType == "Mail" and SubmissionType in ("1","0")
  | join EmailEvents on NetworkMessageId, RecipientObjectId
  | where ThreatTypes !=""and UserLevelAction!=""
  | summarize count() by UserLevelAction, UserLevelPolicy,ThreatTypes,User_SubmissionType
  | project UserLevelAction, UserLevelPolicy,ThreatTypes,User_SubmissionType, UserSubmissions = count_
  | top 10 by UserSubmissions desc
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`CloudAppEvents`	Ensure this data connector is enabled
`EmailEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Submissions/User Submissions - Top detection overrides by Users.yaml)

False Positive Guidance

Scenario: Scheduled Email Backup Job
Description: A scheduled job runs nightly to back up user emails to a secure storage system, which may trigger the rule due to email submissions.
Filter/Exclusion: Exclude emails sent to a specific backup email address (e.g., [email protected]) using a filter like:
```
email_to = "[email protected]"
```
Scenario: Admin User Submitting Emails for Review
Description: An admin user submits an email to the Security Operations Center (SOC) for review, which is flagged as a false negative due to a policy override.
Filter/Exclusion: Exclude emails submitted by admin users (e.g., [email protected]) using a filter like:
```
email_from = "[email protected]"
```
Scenario: Automated Email Reporting Tool
Description: A tool like Splunk or ELK Stack generates automated reports via email, which may be flagged as false negatives.
Filter/Exclusion: Exclude emails sent from the reporting tool’s email address (e.g., [email protected]) using a filter like:
```
email_from = "[email protected]"
```
Scenario: User Submitting a Legitimate Phishing Email for Analysis
Description: A user submits a phishing email to the SOC for analysis, which is flagged as a false negative due to a policy override.
Filter/Exclusion: Exclude emails with a specific subject line or tag (e.g., Phishing Analysis Request) using a filter like:
```
email_subject = "Phishing Analysis Request"
```
Scenario: Email Submission via SIEM Integration
Description: A Security Information and Event Management (SIEM) tool like QRadar or IBM