KQL Search

Query Details

HomeAI ToolsDevice Query

Detection Of Spoofed Emails

Query

//This query checks for emails where the DisplayName matches EntraID DisplayName Accounts
//Applies multiple filters to obtain accurate true positive results for email spoofing
EmailEvents
| join kind=inner (IdentityInfo) on $left.SenderDisplayName == $right.AccountDisplayName
// Filter by emails detected as Threat, delivered into Inbox-Folder and non-sent by owned Email Domains
| where isnotempty(ThreatTypes) and DeliveryLocation contains "Inbox" and SenderMailFromDomain !in ("domain1.com","domain2.com")
// excluding OOF mails, auto-replies or blank DisplayNames also helps to reduce false positives
| where Subject !startswith "Automatic reply" and isnotempty(SenderDisplayName)
// The following lines are used to see if the recipient contains the surname of the sender which could means that the user is forwarding emails to it personal email. If due to some DLP Policies it should not be allowed, you can remove these lines
| extend DNsplit=split(SenderDisplayName, " ")
| extend name = tostring(DNsplit[0])
| extend surname = tostring(DNsplit[1])
| extend surname = tolower(surname)
| where RecipientEmailAddress !contains surname
// if you have some internal services such as Sharepoint, you can add your internal Network to be excluded and detect spoofing cases sent by another Sharepoint services 
| where SenderFromDomain !contains "sharepoint" and SenderIPv4 !startswith "20.117.7"
| project SenderDisplayName, surname,AccountDisplayName, SenderMailFromAddress, RecipientEmailAddress,SenderFromAddress, Subject, SenderIPv4

Explanation

This query is designed to identify potential email spoofing incidents by analyzing email events. Here's a simplified breakdown of what it does:

  1. Match Display Names: It starts by looking for emails where the sender's display name matches an account's display name in the EntraID (formerly Azure AD).

  2. Filter for Threats: It filters these emails to find those detected as threats, specifically those delivered to the inbox and not sent from certain trusted domains ("domain1.com" and "domain2.com").

  3. Exclude Auto-Replies: It excludes automatic replies, out-of-office messages, and emails with blank display names to reduce false positives.

  4. Check Recipient Surname: It checks if the recipient's email address contains the sender's surname, which might indicate unauthorized forwarding to personal emails. This part can be removed if not needed due to data loss prevention (DLP) policies.

  5. Exclude Internal Services: It excludes emails sent from internal services like SharePoint or specific internal IP ranges to focus on potential spoofing from external sources.

  6. Select Relevant Information: Finally, it selects and displays key information about the emails, such as sender and recipient details, subject, and sender's IP address.

Overall, the query aims to accurately identify and highlight suspicious emails that might be spoofing attempts.

Details

Sergio Albea profile picture

Sergio Albea

Released: November 10, 2024

Tables

EmailEventsIdentityInfo

Keywords

EmailEventsIdentityInfoThreatTypesDeliveryLocationSenderDisplayNameAccountDisplayNameSubjectRecipientEmailAddressSenderMailFromDomainSenderFromDomainSenderIPv4

Operators

joinonwhereisnotemptycontains!in!startswithextendsplittostringtolowerproject

Actions