Fake Replies detect spoofed email communications that mimic legitimate replies but contain suspicious keywords and link to Google Docs, indicating potential phishing attempts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage phishing campaigns that could compromise user credentials and data.
KQL Query
let SubjectTerms = pack_array('onus','equired','all','urvey','eb', 'eport','you','nation','me','itting','book','ocument','ill');
EmailEvents
| where EmailDirection == "Inbound"
| where Subject startswith "RE:"
| where Subject has_any(SubjectTerms)
| join EmailUrlInfo on $left.NetworkMessageId == $right.NetworkMessageId
| where Url startswith "https://docs.google.com/document/"
id: 8c4da386-7a95-4927-b24c-a13137294e0c
name: Fake Replies
description: |
Use this query to find spoofed reply emails that contain certain keywords in the subject. The emails are also checked for a link to a document in Google Docs.
These attacks have been observed leading to ransomware
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- Initial access
- Ransomware
query: |
let SubjectTerms = pack_array('onus','equired','all','urvey','eb', 'eport','you','nation','me','itting','book','ocument','ill');
EmailEvents
| where EmailDirection == "Inbound"
| where Subject startswith "RE:"
| where Subject has_any(SubjectTerms)
| join EmailUrlInfo on $left.NetworkMessageId == $right.NetworkMessageId
| where Url startswith "https://docs.google.com/document/"
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
EmailUrlInfo | Ensure this data connector is enabled |
Scenario: Scheduled Google Docs Export Job
Description: A legitimate scheduled job runs nightly to export data from Google Sheets to Google Docs for reporting purposes. The exported document includes a link in the email subject line.
Filter/Exclusion: Exclude emails where the sender is a known internal service account (e.g., [email protected]) or where the email is sent from a system user account used for automation (e.g., [email protected]).
Scenario: Internal Collaboration via Google Docs
Description: An internal team collaborates on a shared Google Doc. The document is shared with multiple users, and the email notification includes a link to the document in the subject line.
Filter/Exclusion: Exclude emails where the sender is a team manager or admin (e.g., [email protected]) or where the recipient list includes multiple internal users with known collaboration roles.
Scenario: Automated Email Notification from Google Workspace Admin Console
Description: The Google Workspace admin console sends an automated email notification about a document activity (e.g., a file was edited or shared). The email subject line includes a link to the Google Docs file.
Filter/Exclusion: Exclude emails where the sender is a known admin email address (e.g., [email protected]) or where the email is sent from the [email protected] alias.
Scenario: System-generated Email for Document Sharing
Description: A user shares a document with a group, and the system automatically sends an email notification to all recipients. The email subject line includes a link to the Google Docs file.
Filter/Exclusion: Exclude emails where the sender is the user’s email address and the recipient list includes multiple internal users, or where the email is sent from a system-generated alias (e.g., [email protected]