Social Engineering Attack Detection
Query
// Social Engineering Attack (Mail Bomb followed by Social Engineered Call - Initial access via RMM Tool)
// https://admin.microsoft.com/?ref=MessageCenter/:/messages/MC1096885
let MailBombVictim =
EmailEvents
| where TimeGenerated > ago(1h)
| where isnotempty(DetectionMethods)
| where tostring(DetectionMethods) has "Mail Bombing"
| distinct RecipientEmailAddress;
let ApprovedRMM = dynamic("bomgarcloud.com"); // E.g Approved Corporate RMM - Whitelisting
let RMMList=externaldata(URI: string, RMMTool: string) // Lookup list of RMM Tools Url from Microsoft
[h'https://raw.githubusercontent.com/jischell-msft/RemoteManagementMonitoringTools/refs/heads/main/Network%20Indicators/RMM_SummaryNetworkURI.csv'];
let RMMUrl =
RMMList
| project URI;
DeviceNetworkEvents
| where TimeGenerated > ago(1h)
| where ActionType == @"ConnectionSuccess"
| where RemoteUrl has_any(RMMUrl)
| where not (RemoteUrl has_any(ApprovedRMM)) // Unauthorized Outbound RMM Tool Connection
| summarize arg_max(TimeGenerated, *) by DeviceId
| where InitiatingProcessAccountUpn has_any(MailBombVictim) // RMM Tool Connection made by Mail Bomb VictimExplanation
This query is designed to detect a specific type of social engineering attack that involves a mail bombing followed by a social engineering call, ultimately leading to unauthorized access via a Remote Monitoring and Management (RMM) tool. Here's a simplified breakdown:
-
Identify Mail Bomb Victims:
- The query first identifies email recipients who have been targeted by a mail bombing attack within the last hour. This is done by filtering email events for those with a detection method labeled as "Mail Bombing" and collecting the distinct email addresses of the recipients.
-
Approved RMM Tools:
- It defines a list of approved RMM tools, in this case, "bomgarcloud.com," which is considered safe and whitelisted.
-
Fetch RMM Tool URLs:
- The query retrieves a list of known RMM tool URLs from an external source (a CSV file hosted on GitHub). This list is used to identify potential RMM tool connections.
-
Detect Unauthorized RMM Connections:
- It then examines network events from devices over the past hour to find successful connection attempts to any RMM tool URLs, excluding those that are approved (whitelisted).
- The query summarizes these events to find the latest connection attempt for each device.
-
Correlate with Mail Bomb Victims:
- Finally, it checks if any of these unauthorized RMM tool connections were initiated by accounts associated with the mail bomb victims identified earlier.
In essence, the query aims to detect if a user who was targeted by a mail bomb attack subsequently made an unauthorized connection to an RMM tool, which could indicate a successful social engineering attack leading to unauthorized access.
Details

Steven Lim
Released: June 18, 2025
Tables
EmailEventsDeviceNetworkEventsRMMList
Keywords
EmailEventsDetectionMethodsRecipientEmailAddressDeviceNetworkEventsActionTypeRemoteUrlDeviceIdInitiatingProcessAccountUpn
Operators
letEmailEvents|where>ago()isnotempty()tostring()hasdistinctdynamic()externaldata()projectDeviceNetworkEvents==summarizearg_max()bynothas_any