Query Details
Email Events Potential New Spammer
Query
//Find senders that are potentially spamming your users for the first time. Useful at detecting business email compromise from partner companies.
//Data connector required for this query - M365 Defender - Email* tables
//Set a threshold of the same email being received within a 10 minute period
//Microsoft Sentinel query
let threshold = 500;
//First create a list of sender addresses that have previously sent you bulk email, hopefully this will let us exclude corporate communications and newsletters etc
let knownbulkemail=
EmailEvents
| where TimeGenerated > ago(30d) and TimeGenerated < ago (1d)
| project TimeGenerated, EmailDirection, DeliveryAction, RecipientEmailAddress, SenderFromAddress, Subject
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| summarize RecipientCount=dcount(RecipientEmailAddress) by SenderFromAddress, Subject, bin(TimeGenerated, 10m)
| where RecipientCount > threshold
| distinct SenderFromAddress;
//Look in the last hour for any new senders that have sent over the threshold in a 10 minute period
EmailEvents
| where TimeGenerated > ago(1d)
| project TimeGenerated, EmailDirection, DeliveryAction, RecipientEmailAddress, SenderFromAddress, Subject
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| summarize RecipientCount=dcount(RecipientEmailAddress) by SenderFromAddress, Subject, bin(TimeGenerated, 10m)
| where SenderFromAddress !in (knownbulkemail) and RecipientCount > threshold
//Advanced Hunting query
//Data connector required for this query - Advanced Hunting license
let threshold = 500;
//First create a list of sender addresses that have previously sent you bulk email, hopefully this will let us exclude corporate communications and newsletters etc
let knownbulkemail=
EmailEvents
| where Timestamp > ago(30d) and Timestamp < ago (1d)
| project Timestamp, EmailDirection, DeliveryAction, RecipientEmailAddress, SenderFromAddress, Subject
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| summarize RecipientCount=dcount(RecipientEmailAddress) by SenderFromAddress, Subject, bin(Timestamp, 10m)
| where RecipientCount > threshold
| distinct SenderFromAddress;
//Look in the last hour for any new senders that have sent over the threshold in a 10 minute period
EmailEvents
| where Timestamp > ago(1d)
| project Timestamp, EmailDirection, DeliveryAction, RecipientEmailAddress, SenderFromAddress, Subject
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| summarize RecipientCount=dcount(RecipientEmailAddress) by SenderFromAddress, Subject, bin(Timestamp, 10m)
| where SenderFromAddress !in (knownbulkemail) and RecipientCount > thresholdExplanation
This query is used to identify potential spam senders who are targeting your users for the first time. It is particularly useful for detecting business email compromise from partner companies. The query sets a threshold for receiving the same email within a 10-minute period.
The query first creates a list of sender addresses that have previously sent bulk emails to exclude corporate communications and newsletters. It then looks for any new senders in the last hour who have sent emails over the threshold in a 10-minute period.
This query can be run in Microsoft Sentinel using the M365 Defender - Email* tables data connector. Alternatively, it can be run using the Advanced Hunting license data connector.
Details
Matt Zorich
Released: June 17, 2022
Tables
Keywords
Operators