User Email Submissions (FN) - Top Inbound P2 Senders

Hunt Hypothesis

Adversaries may use compromised user accounts to submit malicious emails as false negatives, leveraging insider access to bypass email filtering. SOC teams should proactively hunt for this behavior to identify potential insider threats and prevent email-based attacks in their Azure Sentinel environment.

KQL Query

let TotalInboundbySender = EmailEvents
| where EmailDirection =="Inbound"
| summarize count() by SenderFromAddress;
CloudAppEvents 
| where ActionType == "UserSubmission" 
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),P2SenderDomain=tostring((parse_json(RawEventData)).P2SenderDomain),RecipientObjectId=AccountObjectId,NetworkMessageId=tostring((parse_json(RawEventData).ObjectId))
| where SubmissionContentType == "Mail" and SubmissionType in ("1","0")
| join EmailEvents on NetworkMessageId, RecipientObjectId
| where EmailDirection == "Inbound"
| summarize UserSubmissions=count() by SenderFromAddress
| join TotalInboundbySender on SenderFromAddress
| extend UserSubmissions_Percentage = todouble(round(UserSubmissions / todouble(count_) * 100, 2))
| project SenderFromAddress, UserSubmissions, TotalInboundEmail=count_,UserSubmissions_Percentage
| top 10 by UserSubmissions desc

Analytic Rule Definition

id: 4e8ea1c2-723d-4f72-bac6-82c464b6731e
name: User Email Submissions (FN) - Top Inbound P2 Senders
description: |
  This query visualises top sender email addresses of inbound emails submitted as false negatives by users.
description-detailed: |
  This query visualises top sender email addresses of inbound emails submitted as false negatives by users.
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - CloudAppEvents
  - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  let TotalInboundbySender = EmailEvents
  | where EmailDirection =="Inbound"
  | summarize count() by SenderFromAddress;
  CloudAppEvents 
  | where ActionType == "UserSubmission" 
  | extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType),P2SenderDomain=tostring((parse_json(RawEventData)).P2SenderDomain),RecipientObjectId=AccountObjectId,NetworkMessageId=tostring((parse_json(RawEventData).ObjectId))
  | where SubmissionContentType == "Mail" and SubmissionType in ("1","0")
  | join EmailEvents on NetworkMessageId, RecipientObjectId
  | where EmailDirection == "Inbound"
  | summarize UserSubmissions=count() by SenderFromAddress
  | join TotalInboundbySender on SenderFromAddress
  | extend UserSubmissions_Percentage = todouble(round(UserSubmissions / todouble(count_) * 100, 2))
  | project SenderFromAddress, UserSubmissions, TotalInboundEmail=count_,UserSubmissions_Percentage
  | top 10 by UserSubmissions desc
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`CloudAppEvents`	Ensure this data connector is enabled
`EmailEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Submissions/User Submissions - Top email (P2) senders.yaml)

False Positive Guidance

Scenario: Automated Email Submission by Security Tools
Description: A security tool like Microsoft Defender for Office 365 or CrowdStrike Falcon automatically submits emails for analysis, which are then flagged as false negatives.
Filter/Exclusion: Exclude emails from known security tool domains (e.g., security.microsoft.com, crowdstrike.com) or use a custom field to identify automated submissions.
Scenario: Scheduled Job Email Notifications
Description: A scheduled job (e.g., Ansible playbook, PowerShell script, or AWS Lambda) sends email notifications to administrators, which are mistakenly flagged as false negatives.
Filter/Exclusion: Exclude emails sent from system accounts (e.g., [email protected], [email protected]) or filter by source IP associated with the job runner.
Scenario: User-Submitted Emails for Phishing Analysis
Description: Users submit suspicious emails to the Microsoft 365 Safe Links or Google Safe Browsing reporting feature, which are then processed as false negatives.
Filter/Exclusion: Exclude emails with a custom header like X-Reported-By: User or use a tag such as X-Phishing-Report to identify legitimate submissions.
Scenario: Email Alerts from SIEM Tools
Description: A SIEM tool like Splunk or IBM QRadar sends email alerts to the SOC team, which are mistakenly captured as inbound submissions.
Filter/Exclusion: Exclude emails from SIEM tool domains (e.g., splunk.com, ibm.com) or use a source IP filter based on the SIEM server’s IP address.
Scenario: Email Submission via MFA Verification