Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumexperimental

Suspicious Email Delivered In Microsoft 365

Detects instances where an email, identified as malicious or suspicious by the Microsoft Defender for Office 365 (formerly ATP) engine, was delivered to a user's Inbox or Junk folder. It might indicate that a potential threat, such as a spearphishing attachment or links, has bypassed initial blocking mechanisms and reached an end-user, requiring further investigation and potential remediation.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Marco Pedrinazzi (InTheCyber)Created Tue Jan 273569aefd-e535-4391-8c18-24bd01a21eafcloud
Log Source
Microsoft 365audit
ProductMicrosoft 365← raw: m365
Serviceaudit← raw: audit
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        Workload: 'ThreatIntelligence'
        Operation: 'TIMailData'
        Directionality: 'Inbound'
    filter_main_blocked:
        DeliveryAction: 'Blocked'
    condition: selection and not 1 of filter_main_*
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
learn.microsoft.com
2
Resolving title…
research.splunk.com
3
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
3569aefd-e535-4391-8c18-24bd01a21eaf
Status
experimental
Level
medium
Type
Detection
Created
Tue Jan 27
Author
Marco Pedrinazzi (InTheCyber)
Path
rules/cloud/m365/audit/microsoft365_suspicious_email_delivered.yml
Raw Tags
attack.initial-accessattack.t1566.001attack.t1566.002
View on GitHub