Query Details

Detect Direct Send Phishing Emails

Query

let country_land_codes = (
    externaldata (Country:string,Alpha2:string,Alpha3:string,CountryCode:string,Iso3166:string,Region:string,SubRegion:string,IntermediateRegion:string,RegionCode:string,SubRegionCode:string,IntermediateRegionCode:string) 
    ['https://raw.githubusercontent.com/lukes/ISO-3166-Countries-with-Regional-Codes/refs/heads/master/all/all.csv'] with (format='csv', ignoreFirstRecord=true)
    | distinct Country, Alpha2
);
let login_locations = (
    SigninLogs
    | where TimeGenerated > ago(7d)
    | where ResultSignature == 0
    | distinct UserId, UserPrincipalName, LandCode = tostring(LocationDetails.countryOrRegion)
    | where isnotempty(LandCode)
    | join kind=inner country_land_codes on $left.LandCode == $right.Alpha2
    | summarize UsageCountries = make_set(Country) by UserId, UserPrincipalName
);
EmailEvents
| where TimeGenerated > ago(30d)
// Find Direct Send mails
| where SenderMailFromAddress == RecipientEmailAddress
| extend AuthenticationDetails = parse_json(AuthenticationDetails)
| where AuthenticationDetails.SPF == "fail" and AuthenticationDetails.DMARC == "fail"
// Only flag mails not comming in via an exchange connector (these are legit mails)
| where isempty(Connectors)
// Exclude if detected as phish (since it is already remediated then)
| where DeliveryAction !in ("Junked", "Blocked")
| extend Location = parse_json(geo_info_from_ip_address(SenderIPv4))
| extend MailFromCountry = tostring(Location.country)
// Find the usage countries of the users
| join kind=leftouter login_locations on $left.SenderObjectId == $right.UserId
// Flag when sender country is not a usage country of the user
| where tostring(UsageCountries) !contains MailFromCountry

About this query

Explanation

This query is designed to detect phishing emails sent using the Microsoft Exchange Direct Send feature. Here's a simplified explanation of how it works:

  1. Purpose: The query aims to identify potentially malicious emails that exploit the Direct Send feature, which is typically used by devices like printers and scanners to send emails on behalf of a company.

  2. Indicators of Phishing:

    • The sender's email address is the same as the recipient's email address.
    • Both SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting & Conformance) checks fail.
    • The email did not come through an Exchange connector, which would typically indicate a legitimate email.
    • The sender's IP address is from a country where the user does not usually log in.
  3. Data Sources:

    • The query uses data from email events and sign-in logs over the past 30 and 7 days, respectively.
    • It also references a list of country codes to match login locations with sender IP addresses.
  4. Process:

    • It first identifies emails where the sender and recipient addresses are the same.
    • It checks the authentication details to ensure both SPF and DMARC have failed.
    • It filters out emails that have already been marked as junk or blocked.
    • It determines the sender's country based on the IP address.
    • It compares this country with the countries from which the user typically logs in.
    • If the sender's country is not among the usual login countries, the email is flagged as suspicious.
  5. Outcome: The query helps detect phishing attempts that might bypass other security measures, allowing administrators to manually address these threats.

This query is useful when the Direct Send feature cannot be disabled and provides a way to identify and manage potential phishing emails that are not automatically blocked.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: July 15, 2025

Tables

SigninLogsEmailEvents

Keywords

DevicesUsersEmailsCountriesLocationsAuthenticationConnectorsLogs

Operators

letexternaldatawithformatignoreFirstRecorddistinctwhereagoextendparse_jsonisemptyinjoinkindsummarizemake_setbycontainstostring

MITRE Techniques

Actions

GitHub