Query Details

MDO — Compromised Internal Sender (Intra-Org Phishing)

MDO AR 03 Compromised Internal Sender

Query

EmailEvents
| where Timestamp > ago(3h)
| where EmailDirection == "Intra-org"
| where ThreatTypes has_any ("Phish", "Malware")
| summarize
    Recipients = dcount(RecipientEmailAddress),
    Messages   = count(),
    Subjects   = make_set(Subject, 8),
    ThreatMix  = make_set(ThreatTypes, 5),
    ReportId   = take_any(ReportId),
    Timestamp  = min(Timestamp)
    by SenderFromAddress
| where Recipients >= 3

Explanation

This query is designed to detect potential phishing or malware attacks originating from within an organization. Here's a simplified breakdown of what it does:

  1. Purpose: It identifies when an internal email account sends phishing or malware emails to three or more colleagues within a three-hour window. This behavior suggests that the account may have been compromised and is being used to conduct lateral phishing attacks.

  2. Data Source: The query uses data from Microsoft Threat Protection, specifically looking at email events.

  3. Frequency and Period: The query runs every hour and examines email activity from the past three hours.

  4. Conditions:

    • It focuses on emails sent within the organization ("Intra-org").
    • It filters for emails identified as containing "Phish" or "Malware".
  5. Analysis:

    • It counts the number of unique recipients and messages.
    • It collects the subjects of the emails and the types of threats detected.
    • It identifies the sender's email address and the earliest timestamp of the activity.
  6. Alert Criteria: An alert is triggered if an internal sender sends malicious emails to three or more recipients.

  7. Severity and Response: The alert is marked as high severity. The alert description suggests that the sender's account is likely compromised, recommending actions like resetting credentials and revoking sessions.

  8. Incident Management: If an alert is triggered, an incident is created. The system groups related alerts by account to manage them efficiently.

Overall, this query helps security teams quickly identify and respond to potential internal phishing attacks, minimizing the risk of further compromise within the organization.

Details

David Alonso profile picture

David Alonso

Released: July 17, 2026

Tables

EmailEvents

Keywords

EmailEvents

Operators

ago()has_any()summarizedcount()count()make_set()take_any()min()bywhere

Severity

High

Tactics

LateralMovementInitialAccess

MITRE Techniques

Frequency: PT1H

Period: PT3H

Actions

GitHub