Adversaries may use intra-org email communication to exfiltrate data or establish command and control channels by submitting false negative reports. SOC teams should proactively hunt for this behavior to identify potential data leakage or malicious activity disguised as legitimate user feedback.
KQL Query
CloudAppEvents
| where ActionType == "UserSubmission"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType), RecipientObjectId=AccountObjectId
| extend User_SubmissionType=
iff(SubmissionType == "1" and ActionType == "UserSubmission" and SubmissionContentType=="Mail","User_Phish_FN",
iff(SubmissionType == "0" and ActionType == "UserSubmission" and SubmissionContentType=="Mail","User_Spam_FN","Other")),
NetworkMessageId=tostring((parse_json(RawEventData).ObjectId))
| where SubmissionContentType == "Mail" and SubmissionType in ("1","0")
| join EmailEvents on NetworkMessageId, RecipientObjectId
| where EmailDirection == "Intra-org"
| summarize count() by Subject
| project Subject,UserSubmissions = count_
| top 10 by UserSubmissions desc
id: 02949291-cc6c-48ff-bc99-bb3736a3c967
name: User Email Submissions (FN) - Top Intra-Org Subjects
description: |
This query visualises top 10 subjects of intra-org emails submitted as false negatives by users.
description-detailed: |
This query visualises top 10 subjects of intra-org emails submitted as false negatives by users.
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
CloudAppEvents
| where ActionType == "UserSubmission"
| extend SubmissionType = tostring((parse_json(RawEventData)).SubmissionType),SubmissionContentType=tostring((parse_json(RawEventData)).SubmissionContentType), RecipientObjectId=AccountObjectId
| extend User_SubmissionType=
iff(SubmissionType == "1" and ActionType == "UserSubmission" and SubmissionContentType=="Mail","User_Phish_FN",
iff(SubmissionType == "0" and ActionType == "UserSubmission" and SubmissionContentType=="Mail","User_Spam_FN","Other")),
NetworkMessageId=tostring((parse_json(RawEventData).ObjectId))
| where SubmissionContentType == "Mail" and SubmissionType in ("1","0")
| join EmailEvents on NetworkMessageId, RecipientObjectId
| where EmailDirection == "Intra-org"
| summarize count() by Subject
| project Subject,UserSubmissions = count_
| top 10 by UserSubmissions desc
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
EmailEvents | Ensure this data connector is enabled |
Scenario: Systematic email archiving or compliance export job
Filter/Exclusion: Exclude emails sent by the archiving tool (e.g., Microsoft Exchange Archiving, Symantec Enterprise Vault) or filter by sender email address associated with the archiving process.
Scenario: Scheduled report generation via email (e.g., Splunk, Grafana, or custom scripts)
Filter/Exclusion: Exclude emails sent to predefined report distribution lists or filter by sender email address used for scheduled reports (e.g., [email protected]).
Scenario: User-generated email templates or bulk email campaigns (e.g., using Mailchimp, HubSpot, or internal marketing tools)
Filter/Exclusion: Exclude emails sent from known marketing or template email addresses, or filter by sender domain associated with marketing tools.
Scenario: Internal collaboration tools syncing email data (e.g., Microsoft Teams, Slack, or internal chat-to-email integrations)
Filter/Exclusion: Exclude emails sent from internal collaboration tool service accounts or filter by sender email addresses used by these integrations (e.g., [email protected]).
Scenario: Automated system-generated emails (e.g., from IT service management tools like ServiceNow or Jira)
Filter/Exclusion: Exclude emails sent from system service accounts or filter by sender email addresses associated with ITSM tools (e.g., [email protected]).