Users receiving a high volume of phishing and malware emails compared to legitimate emails may indicate targeted compromise, as adversaries often use email as an initial entry vector, and proactive hunting can help identify and mitigate potential breaches before they escalate. SOC teams should actively hunt for this behavior in Azure Sentinel to detect early signs of credential theft, malware distribution, or lateral movement attempts.
KQL Query
let UserToAnalyze="[email protected]";
EmailEvents
| where RecipientEmailAddress==UserToAnalyze
| project RecipientEmailAddress, ThreatTypes
| evaluate pivot(ThreatTypes)
| sort by RecipientEmailAddress asc
id: 229ec9f6-05cc-483d-b3dc-35f47575a5aa
name: Phish and Malware received by user vs total amount of email
description: |
How much phish and malware emails vs good emails received the user in the given timeframe.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
query: |
let UserToAnalyze="[email protected]";
EmailEvents
| where RecipientEmailAddress==UserToAnalyze
| project RecipientEmailAddress, ThreatTypes
| evaluate pivot(ThreatTypes)
| sort by RecipientEmailAddress asc
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Updates via Email
Description: A system administrator sends out scheduled email notifications for software updates, which may include attachments or links that trigger the rule.
Filter/Exclusion: Exclude emails sent by the system admin account ([email protected]) or emails with subject lines containing “System Update” or “Patch Deployment”.
Scenario: Automated Report Distribution by SIEM Tool
Description: A SIEM tool like Splunk or IBM QRadar sends daily reports to the security team via email, which may include attachments or links.
Filter/Exclusion: Exclude emails from the SIEM tool’s email address (e.g., [email protected]) or filter by email headers indicating automated distribution.
Scenario: User-Initiated File Sharing via Email
Description: A user shares files with colleagues using email, which may include executable files or links that are flagged by the rule.
Filter/Exclusion: Exclude emails sent from users in the “IT” or “Engineering” departments, or filter by email body containing keywords like “file share” or “shared document”.
Scenario: Email Notifications from Cloud Backup Services
Description: Cloud backup services like Veeam or Commvault send email notifications with attachments or links related to backup jobs.
Filter/Exclusion: Exclude emails from the backup service’s email domain (e.g., [email protected]) or filter by email subject lines containing “Backup Status” or “Job Completed”.
Scenario: Internal Training Emails with Simulated Phishing
Description: Security teams send simulated phishing emails as part of training, which may be flagged by the rule.
Filter/Exclusion: Exclude emails sent from the security training email address (e.g., [email protected]) or filter by email headers indicating “training” or “simulated