Defender for Office 365 - Identify Non-RFC Compliant Emails
MDO Non RFC Compliant Emails
Query
EmailEvents
| where Timestamp >= ago(90d)
| where not(SenderFromAddress matches regex @"^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)*$")
| project Timestamp,
SenderMailFromAddress,
SenderFromAddress,
Subject,
RecipientEmailAddress,
DeliveryAction,
NetworkMessageId
| order by Timestamp desc
| summarize count() by SenderFromAddressAbout this query
Explanation
This query is designed to identify emails that do not comply with standard email formatting rules, known as RFC 5322, within Microsoft Defender for Office 365. Here's a simple breakdown of what the query does:
-
Data Source: It examines email events from the past 90 days.
-
Non-Compliance Check: It filters out emails where the sender's address (the "From" field) does not match a typical email pattern. This pattern includes standard characters and structure expected in an email address.
-
Information Extracted: For each non-compliant email, it retrieves details such as the time it was sent, the sender's address, the subject of the email, the recipient's email address, the action taken on delivery, and a unique message ID.
-
Sorting and Summarization: The results are sorted by the time they were sent, and the query summarizes the data by counting how many times each non-compliant sender's address appears.
This query helps in identifying potentially suspicious or improperly formatted emails, which could be indicative of phishing attempts or other malicious activities.
