Query Details

Defender for Office 365 - Identify Non-RFC Compliant Emails

MDO Non RFC Compliant Emails

Query

EmailEvents
| where Timestamp >= ago(90d)
| where not(SenderFromAddress matches regex @"^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)*$")
| project Timestamp,
          SenderMailFromAddress,
          SenderFromAddress,
          Subject,
          RecipientEmailAddress,
          DeliveryAction,
          NetworkMessageId
| order by Timestamp desc
| summarize count() by SenderFromAddress

About this query

Explanation

This query is designed to identify emails that do not comply with standard email formatting rules, known as RFC 5322, within Microsoft Defender for Office 365. Here's a simple breakdown of what the query does:

  1. Data Source: It examines email events from the past 90 days.

  2. Non-Compliance Check: It filters out emails where the sender's address (the "From" field) does not match a typical email pattern. This pattern includes standard characters and structure expected in an email address.

  3. Information Extracted: For each non-compliant email, it retrieves details such as the time it was sent, the sender's address, the subject of the email, the recipient's email address, the action taken on delivery, and a unique message ID.

  4. Sorting and Summarization: The results are sorted by the time they were sent, and the query summarizes the data by counting how many times each non-compliant sender's address appears.

This query helps in identifying potentially suspicious or improperly formatted emails, which could be indicative of phishing attempts or other malicious activities.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 5, 2025

Tables

EmailEvents

Keywords

EmailEventsTimestampSenderMailFromAddressSubjectRecipientDeliveryActionNetworkMessageId

Operators

|wherenotmatches regexprojectorder bysummarizecountby

Actions

GitHub