Query Details

MDO Hunting - Phishing Campaign Clustering

MDO 02 Phishing Campaign Clustering

Query

EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish"
| summarize
    Recipients = dcount(RecipientEmailAddress),
    Messages   = count(),
    Senders    = make_set(SenderFromAddress, 15),
    Delivered  = countif(DeliveryAction == "Delivered"),
    FirstSeen  = min(Timestamp),
    LastSeen   = max(Timestamp)
    by Subject, SenderFromDomain
| where Recipients >= 5
| sort by Recipients desc

Explanation

This query is designed to identify and analyze phishing campaigns by grouping similar phishing emails based on their subject and sender domain. Here's a simplified breakdown:

  1. Purpose: The query aims to detect phishing campaigns by clustering emails with the same subject and sender domain, helping to understand the scale and impact of these campaigns.

  2. Data Source: It uses data from the MicrosoftThreatProtection connector, specifically focusing on EmailEvents.

  3. Time Frame: It looks at email events from the past 7 days.

  4. Phishing Focus: The query filters for emails identified as phishing (ThreatTypes has "Phish").

  5. Analysis:

    • It counts the number of unique recipients (Recipients) and total messages (Messages) for each group of emails.
    • It collects up to 15 unique sender email addresses (Senders).
    • It counts how many of these emails were actually delivered (Delivered).
    • It records the first and last time these emails were seen (FirstSeen and LastSeen).
  6. Prioritization: It focuses on clusters where at least 5 unique recipients received the emails, indicating a potentially significant campaign.

  7. Sorting: The results are sorted by the number of recipients in descending order, highlighting the most widespread campaigns.

  8. Value: This approach helps in moving from analyzing individual phishing emails to understanding broader campaigns, which can be crucial for organizational awareness and response.

  9. Tactics and Techniques: The query is related to the tactics of Initial Access and Reconnaissance, specifically targeting phishing techniques (T1566).

Overall, this query helps security teams identify and prioritize phishing campaigns that have successfully reached multiple recipients, enabling them to take appropriate action.

Details

David Alonso profile picture

David Alonso

Released: July 17, 2026

Tables

EmailEvents

Keywords

EmailEventsTimestampThreatTypesRecipientEmailAddressMessagesSenderFromAddressDeliveryActionSubjectSenderFromDomainRecipients

Operators

EmailEventswhereagohassummarizedcountcountmake_setcountifminmaxbysortdesc

Tactics

InitialAccessReconnaissance

MITRE Techniques

Actions

GitHub