MDO — Compromised Internal Sender (Intra-Org Phishing)
MDO AR 03 Compromised Internal Sender
Query
EmailEvents
| where Timestamp > ago(3h)
| where EmailDirection == "Intra-org"
| where ThreatTypes has_any ("Phish", "Malware")
| summarize
Recipients = dcount(RecipientEmailAddress),
Messages = count(),
Subjects = make_set(Subject, 8),
ThreatMix = make_set(ThreatTypes, 5),
ReportId = take_any(ReportId),
Timestamp = min(Timestamp)
by SenderFromAddress
| where Recipients >= 3Explanation
This query is designed to detect potential phishing or malware attacks originating from within an organization. Here's a simplified breakdown of what it does:
-
Purpose: It identifies when an internal email account sends phishing or malware emails to three or more colleagues within a three-hour window. This behavior suggests that the account may have been compromised and is being used to conduct lateral phishing attacks.
-
Data Source: The query uses data from Microsoft Threat Protection, specifically looking at email events.
-
Frequency and Period: The query runs every hour and examines email activity from the past three hours.
-
Conditions:
- It focuses on emails sent within the organization ("Intra-org").
- It filters for emails identified as containing "Phish" or "Malware".
-
Analysis:
- It counts the number of unique recipients and messages.
- It collects the subjects of the emails and the types of threats detected.
- It identifies the sender's email address and the earliest timestamp of the activity.
-
Alert Criteria: An alert is triggered if an internal sender sends malicious emails to three or more recipients.
-
Severity and Response: The alert is marked as high severity. The alert description suggests that the sender's account is likely compromised, recommending actions like resetting credentials and revoking sessions.
-
Incident Management: If an alert is triggered, an incident is created. The system groups related alerts by account to manage them efficiently.
Overall, this query helps security teams quickly identify and respond to potential internal phishing attacks, minimizing the risk of further compromise within the organization.
