Suspicious Email Delivered In Microsoft 365
Detects instances where an email, identified as malicious or suspicious by the Microsoft Defender for Office 365 (formerly ATP) engine, was delivered to a user's Inbox or Junk folder. It might indicate that a potential threat, such as a spearphishing attachment or links, has bypassed initial blocking mechanisms and reached an end-user, requiring further investigation and potential remediation.
Sigma rule (View on GitHub)
1title: Suspicious Email Delivered In Microsoft 365
2id: 3569aefd-e535-4391-8c18-24bd01a21eaf
3status: experimental
4description: |
5 Detects instances where an email, identified as malicious or suspicious by the Microsoft Defender for Office 365 (formerly ATP) engine, was delivered to a user's Inbox or Junk folder.
6 It might indicate that a potential threat, such as a spearphishing attachment or links, has bypassed initial blocking mechanisms and reached an end-user, requiring further investigation and potential remediation.
7references:
8 - https://learn.microsoft.com/en-us/defender-office-365/threat-explorer-real-time-detections-about
9 - https://research.splunk.com/cloud/605cc93a-70e4-4ee3-9a3d-1a62e8c9b6c2/
10 - https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/e7250648cb16d4a497ae8737943bf010ea96d2e6/Defender%20For%20Cloud%20Apps/MaliciousEmailDeliveredInMailbox.md
11author: Marco Pedrinazzi (@pedrinazziM) (InTheCyber)
12date: 2026-01-27
13tags:
14 - attack.initial-access
15 - attack.t1566.001
16 - attack.t1566.002
17logsource:
18 service: audit
19 product: m365
20detection:
21 selection:
22 Workload: 'ThreatIntelligence'
23 Operation: 'TIMailData'
24 Directionality: 'Inbound'
25 filter_main_blocked:
26 DeliveryAction: 'Blocked'
27 condition: selection and not 1 of filter_main_*
28falsepositives:
29 - Unlikely
30level: medium
References
-
Learn about the available views, filters, and actions in Threat Explorer (Explorer) or Real-time detections to investigate and respond to threats.
Read More -
Updated Date: 2026-04-15 ID: 605cc93a-70e4-4ee3-9a3d-1a62e8c9b6c2 Author: Steven Dick Type: Anomaly Product: Splunk Enterprise Security Description The following analytic identifies when a suspicious email is detected within the Microsoft Office 365 ecosystem through the Advanced Threat Protection engine and delivered to an end user. Attackers may execute several attacks through email, any detections from built-in Office 365 capabilities should be monitored and responded to appropriately. Certain premium Office 365 capabilities such as Safe Attachment and Safe Links further enhance these detection and response functions.
Read More -
KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules. ...
Read More
Related rules
- Office Macro File Creation
- Potential Malicious Usage of CloudTrail System Manager
- Arbitrary Shell Command Execution Via Settingcontent-Ms
- Droppers Exploiting CVE-2017-11882
- ISO File Created Within Temp Folders