Review recently received emails with phishing related subject keywords
Recently Received Emails With Phishing Related Subject Keywords
Query
let CompromizedEmailAddress = ""; // Insert the email address of the compromised email address
let SuspiciousKeywords = externaldata(Keywords: string)[@"https://raw.githubusercontent.com/cyb3rmik3/Hunting-Lists/main/phishing-keywords.csv"] with (format="csv", ignoreFirstRecord=True);
let Timeframe = 2d; // Choose the best timeframe for your investigation
EmailEvents
| where RecipientEmailAddress == CompromizedEmailAddress
| where Timestamp > ago(Timeframe)
| where Subject has_any (SuspiciousKeywords)
| where DeliveryAction == "Delivered"
| project Timestamp, SenderMailFromAddress, SenderFromAddress, SenderDisplayName, SenderMailFromDomain, SenderFromDomain, SenderIPv4, AttachmentCount, UrlCount, LatestDeliveryAction
| sort by Timestamp descAbout this query
Review recently received emails with phishing related subject keywords
Description
The following query will go through a set of keywords included in a curated list that could be found in email’s subject, that could potentially be correlated to phishing emails. This query will most probably return a lot of false/positives, however it could potentially return results significant enough to go through.
References
Microsoft 365 Defender
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 04/10/2023 | Initial publish |
Explanation
This query is designed to review recently received emails for any subjects that may be related to phishing. It uses a list of suspicious keywords and checks if the email's subject contains any of those keywords. The query also filters for emails that were delivered and includes various fields such as timestamp, sender information, attachment count, and URL count. The results are sorted by timestamp in descending order. It's important to note that this query may have a high number of false positives, but it could still provide valuable results for investigation.
Details

Michalis Michalos
Released: October 4, 2023
Tables
Keywords
Operators