MDO Hunting - Compromised Internal Sender (Intra-Org Phishing)
MDO 13 Compromised Internal Sender
Query
EmailEvents
| where Timestamp > ago(7d)
| where EmailDirection == "Intra-org"
| where ThreatTypes has_any ("Phish", "Malware")
| summarize Recipients = dcount(RecipientEmailAddress),
Messages = count(),
Subjects = make_set(Subject, 10),
FirstSeen = min(Timestamp),
LastSeen = max(Timestamp)
by SenderFromAddress
| where Recipients >= 3
| sort by Recipients descExplanation
This query is designed to detect potentially compromised email accounts within an organization that are being used to send phishing or malware emails to other employees. Here's a simple breakdown:
-
Purpose: It aims to identify internal email accounts that might be compromised and are sending harmful emails to multiple colleagues, which could indicate an account takeover.
-
Data Source: It uses data from Microsoft Threat Protection, specifically focusing on email events.
-
Time Frame: The query looks at email events from the past 7 days.
-
Criteria:
- It filters emails that are sent within the organization ("Intra-org").
- It checks if these emails are flagged as containing phishing or malware threats.
-
Analysis:
- It counts the number of unique recipients and total messages sent by each internal sender.
- It collects up to 10 different email subjects for context.
- It notes the first and last time these emails were seen.
-
Alert Condition: The query flags senders who have sent such emails to 3 or more different recipients.
-
Outcome: The results are sorted by the number of recipients, highlighting the most potentially dangerous internal senders.
-
Response Recommendation: If such activity is detected, it's advised to escalate the issue by resetting passwords, revoking sessions, and reviewing the sender's recent activities and email rules to mitigate further risk.
