Query Details
RULE 19 M365 Exchange Phishing Campaign Multi User
Query
// Rule : M365 - Exchange Phishing Campaign - Multiple Users Report Same Sender
// Severity: High
// Tactics : InitialAccess
// MITRE : T1566.001 (Phishing: Spearphishing Attachment),
// T1566.002 (Phishing: Spearphishing Link)
// Freq : PT30M Period: PT30M
// Description: Detects when multiple unique users report the same sender as phishing
// within a short window — strong signal for an active phishing campaign
// using a shared delivery infrastructure. Correlates with submission reports.
//==========================================================================================
let LookbackPeriod = 30m;
let UniqueUserThreshold = 3; // minimum distinct users reporting same sender
OfficeActivity
| where TimeGenerated > ago(LookbackPeriod)
| where RecordType == "ExchangeAdmin"
or (RecordType == "ThreatIntelligence" and Operation has_any ("SubmitReport", "PhishReport"))
| where Operation in (
"PhishingReported", "SubmitReport",
"Enable-AntiPhishRule", "New-AntiPhishPolicy",
"MessageTrace")
| extend
ReportedSender = tostring(extract(@"SenderAddress.*?:([^\s,]+)", 1, tostring(Parameters))),
RecipientUser = UserId
| where isnotempty(ReportedSender)
| summarize
UniqueReporters = dcount(RecipientUser),
Reporters = make_set(RecipientUser, 20),
FirstReport = min(TimeGenerated),
LastReport = max(TimeGenerated)
by ReportedSender
| where UniqueReporters >= UniqueUserThreshold
| extend SenderDomain = tostring(split(ReportedSender, "@")[1])
| extend AlertSeverity = case(
UniqueReporters >= 10, "Critical",
UniqueReporters >= 5, "High",
"Medium")
| project
TimeGenerated = LastReport,
ReportedSender,
SenderDomain,
UniqueReporters,
Reporters,
FirstReport,
AlertSeverity
Explanation
This query is designed to detect potential phishing campaigns targeting Microsoft 365 Exchange users. It focuses on identifying instances where multiple unique users report emails from the same sender as phishing within a short time frame, which could indicate an active phishing campaign using shared delivery methods. Here's a simplified breakdown of the query:
-
Lookback Period: The query examines data from the last 30 minutes.
-
User Threshold: It requires at least three different users to report the same sender for the alert to trigger.
-
Data Source: The query looks at activities related to Exchange administration and threat intelligence, specifically focusing on operations like phishing reports and message tracing.
-
Extracting Information: It extracts the sender's email address and the user who reported it.
-
Summarization: The query counts how many unique users reported the same sender and gathers a list of these users. It also notes the first and last report times for each sender.
-
Filtering: It only considers senders reported by at least three unique users.
-
Domain and Severity: It extracts the sender's domain and assigns an alert severity based on the number of reporters:
- "Critical" if 10 or more users report,
- "High" if 5 to 9 users report,
- "Medium" otherwise.
-
Output: The final output includes the last report time, reported sender, sender's domain, number of unique reporters, list of reporters, first report time, and alert severity.
Overall, this query helps identify potential phishing threats by flagging senders reported by multiple users in a short time, aiding in the early detection of phishing campaigns.
Details
David Alonso
Released: March 18, 2026
Tables
Keywords
Operators