Query Details

MDO Hunting - Compromised Internal Sender (Intra-Org Phishing)

MDO 13 Compromised Internal Sender

Query

EmailEvents
| where Timestamp > ago(7d)
| where EmailDirection == "Intra-org"
| where ThreatTypes has_any ("Phish", "Malware")
| summarize Recipients = dcount(RecipientEmailAddress),
            Messages   = count(),
            Subjects   = make_set(Subject, 10),
            FirstSeen  = min(Timestamp),
            LastSeen   = max(Timestamp)
    by SenderFromAddress
| where Recipients >= 3
| sort by Recipients desc

Explanation

This query is designed to detect potentially compromised email accounts within an organization that are being used to send phishing or malware emails to other employees. Here's a simple breakdown:

  1. Purpose: It aims to identify internal email accounts that might be compromised and are sending harmful emails to multiple colleagues, which could indicate an account takeover.

  2. Data Source: It uses data from Microsoft Threat Protection, specifically focusing on email events.

  3. Time Frame: The query looks at email events from the past 7 days.

  4. Criteria:

    • It filters emails that are sent within the organization ("Intra-org").
    • It checks if these emails are flagged as containing phishing or malware threats.
  5. Analysis:

    • It counts the number of unique recipients and total messages sent by each internal sender.
    • It collects up to 10 different email subjects for context.
    • It notes the first and last time these emails were seen.
  6. Alert Condition: The query flags senders who have sent such emails to 3 or more different recipients.

  7. Outcome: The results are sorted by the number of recipients, highlighting the most potentially dangerous internal senders.

  8. Response Recommendation: If such activity is detected, it's advised to escalate the issue by resetting passwords, revoking sessions, and reviewing the sender's recent activities and email rules to mitigate further risk.

Details

David Alonso profile picture

David Alonso

Released: July 17, 2026

Tables

EmailEvents

Keywords

EmailEventsTimestampEmailDirectionThreatTypesRecipientEmailAddressSenderFromAddressSubject

Operators

wherehas_anysummarizedcountcountmake_setminmaxbysortdescago

Tactics

LateralMovementInitialAccess

MITRE Techniques

Actions

GitHub