User reported submissions

Hunt Hypothesis

User-reported submissions may indicate potential phishing attempts or malicious email activity, as adversaries often exploit user reports to bypass traditional detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate threats that evade standard email security controls.

KQL Query

CloudAppEvents 
| where Timestamp > ago(30d) 
| extend Record= (parse_json(RawEventData)).RecordType 
| extend SubmissionState = (parse_json(RawEventData)).SubmissionState  
| where Record == 29 
| where ActionType == "UserSubmission"

Analytic Rule Definition

id: 0bd33643-c517-48b1-8211-25a7fbd15a50
name: User reported submissions
description: |
  This query helps reviewing user reported email submissions
description-detailed: |
  This query helps reviewing user reported email submissions in Defender for Office 365
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - CloudAppEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  CloudAppEvents 
  | where Timestamp > ago(30d) 
  | extend Record= (parse_json(RawEventData)).RecordType 
  | extend SubmissionState = (parse_json(RawEventData)).SubmissionState  
  | where Record == 29 
  | where ActionType == "UserSubmission"
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`CloudAppEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Submissions/User reported submissions.yaml)

False Positive Guidance

Scenario: A system administrator is using Microsoft 365 Compliance Center to review user-reported phishing emails as part of a security training exercise.
Filter/Exclusion: Exclude submissions from users with the “Security Administrator” role or those who have submitted reports in the last 7 days.
Scenario: A scheduled job in Microsoft Exchange Online is configured to automatically submit emails for review based on specific content filters (e.g., “urgent” or “confidential” keywords).
Filter/Exclusion: Exclude submissions where the email was processed by a scheduled job identified by a specific job name or source IP.
Scenario: A third-party security tool (e.g., Cisco SecureX or CrowdStrike Falcon) is configured to submit suspicious emails to the organization’s email security gateway for analysis.
Filter/Exclusion: Exclude submissions originating from the IP address or hostname of the third-party tool, or based on a specific header like X-ThirdParty-Submission.
Scenario: A user is testing the Microsoft Defender for Office 365 reporting feature by submitting a sample email to the “Report Phishing” button.
Filter/Exclusion: Exclude submissions from users who have submitted reports in the last 24 hours or from users with a specific email domain used for testing.
Scenario: A data loss prevention (DLP) policy in Microsoft Purview is configured to submit emails for review when sensitive data is detected.
Filter/Exclusion: Exclude submissions where the email was flagged by a DLP policy and has a specific DLP tag or policy name associated with it.