Adversaries may impersonate users not covered by display name protection to gain unauthorized access or manipulate systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential impersonation attacks before they lead to data exfiltration or lateral movement.
KQL Query
let display_names =
IdentityInfo
| summarize by AccountDisplayName
| project-rename SenderDisplayName = AccountDisplayName;
EmailEvents
| where EmailDirection == "Inbound"
| where ThreatNames != ""
| where ThreatNames !contains "Impersonation User"
| lookup kind=inner (display_names) on SenderDisplayName, $left.SenderDisplayName == $right.SenderDisplayName
| where SenderDisplayName != ""
| summarize by SenderDisplayName
id: e90345b3-439c-44e1-a85d-8ae84ad9c65b
name: User not covered under display name impersonation
description: |
This query helps to find threats using display name impersonation for users not already protected with User Impersonation
description-detailed: |
This query helps to find threats using display name impersonation for users not already protected with User Impersonation
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- IdentityInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let display_names =
IdentityInfo
| summarize by AccountDisplayName
| project-rename SenderDisplayName = AccountDisplayName;
EmailEvents
| where EmailDirection == "Inbound"
| where ThreatNames != ""
| where ThreatNames !contains "Impersonation User"
| lookup kind=inner (display_names) on SenderDisplayName, $left.SenderDisplayName == $right.SenderDisplayName
| where SenderDisplayName != ""
| summarize by SenderDisplayName
version: 1.0.0 | Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
IdentityInfo | Ensure this data connector is enabled |
Scenario: A system administrator uses the Microsoft 365 Admin Center to send a bulk email to users using their own display name for internal communication.
Filter/Exclusion: Exclude emails sent from user accounts with the isServiceAccount or isAdmin flag set in the user properties.
Scenario: A scheduled job runs nightly to generate reports using a service account, and the job logs in with the service account’s display name.
Filter/Exclusion: Exclude activity from service accounts identified by the userPrincipalName containing svc- or service- in the domain.
Scenario: A Power Automate flow is configured to impersonate a user’s display name to access data from a SharePoint site for reporting purposes.
Filter/Exclusion: Exclude flows initiated by the Power Automate application or flows with a specific flowName tag in the activity logs.
Scenario: A Microsoft Teams meeting is scheduled by a user using their display name, and the meeting is recorded by the system using the user’s display name in the recording metadata.
Filter/Exclusion: Exclude events where the meetingType is scheduled and the recordingMetadata contains the user’s actual email address.
Scenario: A user impersonation is performed by an Azure AD Privileged Identity Management (PIM) admin during a security review to test access controls.
Filter/Exclusion: Exclude activities where the user has the PIMAdmin role or the impersonationAllowed flag is set in the user’s Azure AD properties.