KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Spoofed Email Cases

Query

**Detection of spoofed Emails**

It has been a long journey to create a query that shows a high percentage of true positives regarding spoofed emails, but finally, I am proud of the results achieved!
Basically, I check emails received where the DisplayName matches with EntraID DisplayName Accounts, and then I apply multiple filters and conditions to obtain the most accurate true positive results.
```
EmailEvents
| join kind=inner (IdentityInfo) on $left.SenderDisplayName == $right.AccountDisplayName
// Filter by emails detected as Threat, delivered into Inbox-Folder and non-sent by owned Email Domains
| where isnotempty(ThreatTypes) and DeliveryLocation contains "Inbox" and SenderMailFromDomain !in ("domain1.com","domain2.com")
// excluding OOF mails, auto-replies or blank DisplayNames also helps to reduce false positives
| where Subject !startswith "Automatic reply" and isnotempty(SenderDisplayName)
// The following lines are used to see if the recipient contains the surname of the sender which could means that the user is forwarding emails to it personal email. If due to some DLP Policies it should not be allowed, you can remove these lines
| extend DNsplit=split(SenderDisplayName, " ")
| extend name = tostring(DNsplit[0])
| extend surname = tostring(DNsplit[1])
| extend surname = tolower(surname)
| where RecipientEmailAddress !contains surname
// if you have some internal services such as Sharepoint, you can add your internal Network to be excluded and detect spoofing cases sent by another Sharepoint services 
| where SenderFromDomain !contains "sharepoint" and SenderIPv4 !startswith "20.117.7"
| project SenderDisplayName, surname,AccountDisplayName, SenderMailFromAddress, RecipientEmailAddress,SenderFromAddress, Subject, SenderIPv4


```

Explanation

This query is designed to detect spoofed emails with a high accuracy of true positives. Here's a simplified breakdown of what the query does:

  1. Data Source: It starts by examining email events and joins them with identity information to match the sender's display name with account display names.

  2. Initial Filters:

    • It looks for emails flagged as threats.
    • It focuses on emails delivered to the inbox.
    • It excludes emails sent from specific owned domains (e.g., "domain1.com", "domain2.com").

  3. Reducing False Positives:

    • It filters out automatic replies and emails with empty display names.

  4. Recipient Check:

    • It checks if the recipient's email address contains the sender's surname, which might indicate the user is forwarding emails to a personal account. This part can be adjusted based on data loss prevention (DLP) policies.

  5. Excluding Internal Services:

    • It excludes emails from internal services like SharePoint or specific internal networks to avoid false positives from legitimate internal communications.

  6. Output:

    • The query projects (selects) relevant fields such as the sender's display name, surname, account display name, sender and recipient email addresses, subject, and sender's IP address for further analysis.

Overall, the query is designed to identify potentially spoofed emails by applying a series of filters and checks to ensure the results are as accurate as possible.

Details

Sergio Albea profile picture

Sergio Albea

Released: December 26, 2024

Tables

EmailEventsIdentityInfo

Keywords

EmailEventsIdentityInfoDisplayNameAccountDisplayNameThreatTypesDeliveryLocationSenderMailFromDomainSubjectSenderDisplayNameRecipientEmailAddressSenderFromDomainSenderIPv4

Operators

joinonwhereisnotemptycontains!in!startswithextendsplittostringtolowerproject

Actions