KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Inbound Email Domains From Text List

Query

# Detect inbound email domains from text list

## Description

Following a challenging request from a fellow Microsoft Tech Community member, the query below will help you detect inbound emails which match the domains provided from a public text file. It also allows to exclude specific domains, if required.

### References
- https://techcommunity.microsoft.com/t5/microsoft-defender-xdr/365-advance-hunting/m-p/3937681

### Microsoft 365 Defender
```
let domainList = externaldata(domain: string) [@"https://raw.githubusercontent.com/tsirolnik/spam-domains-list/master/spamdomains.txt"] with (format="txt"); // Change the text file to whatever you want
let excludedDomains = datatable(excludeddomain :string)  // Add as many domains you would like to exclude
 ["domain1.tld",
  "domain2.tld",
  "domain3.tld"];   
let Timeframe = 1d; // Choose the best timeframe for your investigation
let SuspiciousEmails = EmailEvents
    | where Timestamp > ago(Timeframe)
    | where EmailDirection == "Inbound"
    | extend EmailDomain = tostring(split(SenderMailFromAddress, '@')[1])
    | join kind=inner (domainList) on $left.EmailDomain == $right.domain
    | where not(EmailDomain in (['excludedDomains']))
    | project Timestamp, NetworkMessageId, SenderMailFromAddress, SenderFromAddress, SenderDisplayName, RecipientEmailAddress, EmailDomain, domain, Subject, LatestDeliveryAction;
SuspiciousEmails
    | join (EmailEvents
    | project NetworkMessageId
)on NetworkMessageId
    | sort by Timestamp desc
```

### Versioning
| Version       | Date          | Comments                               |
| ------------- |---------------| ---------------------------------------|
| 1.0           | 17/11/2023    | Initial publish                        |

Explanation

This query helps detect inbound emails that match the domains provided in a public text file. It also allows for excluding specific domains if needed. It retrieves the list of domains from the text file, sets the excluded domains, and defines the timeframe for the investigation. Then, it filters the email events to only include inbound emails within the specified timeframe. It extracts the email domain from the sender's address and joins it with the domain list. It excludes the domains in the excludedDomains list. Finally, it projects the relevant email information and sorts the results by timestamp.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: November 17, 2023

Tables

EmailEventsdomainListexcludedDomains

Keywords

Inbound,Email,Domains

Operators

letexternaldatawithdatatablewhereagoextendtostringsplitjoinkind=inneronnotinprojectsort by

Actions