Query Details
Detect Microsoft One Time Pass Code Emails Via Internet Message Id Odspnotify Value
Query
**Detect Microsoft OneTimePassCode Emails via InternetMessageId odspnotify value**
#### MITRE ATT&CK Technique(s)
| Technique ID | Title |
| --- | --- |
| T1621 | MFA abuse|
| Author | Sergio Albea (19/04/2026) |
| --- | --- |
**Description:** If you are in a country where there is more than one local language, like me in Switzerland, it is challenging to create detections based on subjects because you can have them in multiple languages. Therefore, focusing on the value odspnotify inside of InternetMessageId - which does not change based on the language - helps to detect cases.
This one is related to OneTimePassCode and is useful to identify if the code is sent to other domains, which could mean that a forwarding rule has been configured or some other suspicious activity.
```
//Sergio Albea 19-04-2026 ©️
EmailEvents
| where InternetMessageId contains "OneTimePasscode"
| where RecipientDomain !in ('trustedomain.ch','trustedomain2.ch')
| project InternetMessageId,Subject, RecipientDomain, RecipientEmailAddress, ReportId
```
Explanation
This query is designed to detect suspicious activity related to Microsoft OneTimePassCode emails. It specifically looks for emails that contain "OneTimePasscode" in their InternetMessageId, which is a unique identifier for each email. The query filters out emails sent to trusted domains, focusing instead on those sent to other domains. This could indicate potential security issues, such as a forwarding rule being set up without authorization or other suspicious activities. The query helps identify these emails by displaying relevant details like the InternetMessageId, subject, recipient domain, recipient email address, and report ID. This approach is particularly useful in multilingual environments, as it doesn't rely on the email subject, which can vary by language.
Details
Sergio Albea
Released: April 22, 2026
Tables
Keywords
Operators