Query Details

Malicious email delivered in Microsoft 365

Malicious Email Delivered In Mailbox

Query

CloudAppEvents
| where ActionType == "TIMailData-Inline"
| extend Classification = parse_json(RawEventData).['Verdict']
| extend ClassificationReason = parse_json(RawEventData).['ThreatsAndDetectionTech']
| extend ConfidentialityLevel = parse_json(RawEventData).['PhishConfidenceLevel']
| extend InvestigationLink = parse_json(RawEventData).['EventDeepLink'],
    NetworkMessageId = tostring(parse_json(RawEventData).NetworkMessageId)
| join kind=leftouter (EmailEvents | project NetworkMessageId, SenderFromAddress, RecipientEmailAddress, Subject) on $left.NetworkMessageId == $right.NetworkMessageId
| project-reorder
     Timestamp,
     Classification,
     ClassificationReason,
     ConfidentialityLevel,
     SenderFromAddress,
     Subject,
     RecipientEmailAddress,
     InvestigationLink

About this query

Malicious email delivered in Microsoft 365

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1566Phishinghttps://attack.mitre.org/techniques/T1566/

Description

This query lists all the emails that have been classified as malicious based on Threat Intelligence on the mailbox.

Defender XDR

Sentinel

CloudAppEvents
| where ActionType == "TIMailData-Inline"
| extend Classification = parse_json(RawEventData).['Verdict']
| extend ClassificationReason = parse_json(RawEventData).['ThreatsAndDetectionTech']
| extend ConfidentialityLevel = parse_json(RawEventData).['PhishConfidenceLevel']
| extend InvestigationLink = parse_json(RawEventData).['EventDeepLink'],
    NetworkMessageId = tostring(parse_json(RawEventData).NetworkMessageId)
| join kind=leftouter (EmailEvents | project NetworkMessageId, SenderFromAddress, RecipientEmailAddress, Subject) on $left.NetworkMessageId == $right.NetworkMessageId
| project-reorder
     Timestamp,
     Classification,
     ClassificationReason,
     ConfidentialityLevel,
     SenderFromAddress,
     Subject,
     RecipientEmailAddress,
     InvestigationLink

Explanation

This query is designed to identify and list emails in Microsoft 365 that have been classified as malicious based on threat intelligence. It focuses on emails that are potentially phishing attempts, aligning with the MITRE ATT&CK technique T1566 for phishing.

Here's a simplified breakdown of what the query does:

  1. Data Source: The query pulls data from CloudAppEvents, specifically looking for events where the action type is "TIMailData-Inline". This indicates that the event is related to email data processed inline.

  2. Extract Information: It extracts several pieces of information from the raw event data:

    • Classification: The verdict on whether the email is malicious.
    • ClassificationReason: The reasons or techniques used to detect the threat.
    • ConfidentialityLevel: The confidence level regarding the phishing nature of the email.
    • InvestigationLink: A link to further investigate the event.
    • NetworkMessageId: A unique identifier for the email message.
  3. Join with Email Events: The query joins this data with EmailEvents to gather additional details about the email, such as:

    • SenderFromAddress: The email address of the sender.
    • RecipientEmailAddress: The email address of the recipient.
    • Subject: The subject line of the email.
  4. Output: Finally, it organizes the output to display the timestamp, classification details, sender and recipient information, email subject, and a link for further investigation.

This query is useful for security analysts to quickly identify and investigate potentially harmful emails that have been delivered within an organization, helping to mitigate phishing attacks.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

CloudAppEventsEmailEvents

Keywords

CloudAppEventsEmailEventsRawEventDataNetworkMessageIdSenderFromAddressRecipientEmailAddressSubjectInvestigationLinkClassificationClassificationReasonConfidentialityLevel

Operators

whereextendparse_jsontostringjoinprojectproject-reorder

MITRE Techniques

Actions

GitHub