Detection rules › Splunk
O365 Threat Intelligence Suspicious Email Delivered
The following analytic identifies when a suspicious email is detected within the Microsoft Office 365 ecosystem through the Advanced Threat Protection engine and delivered to an end user. Attackers may execute several attacks through email, any detections from built-in Office 365 capabilities should be monitored and responded to appropriately. Certain premium Office 365 capabilities such as Safe Attachment and Safe Links further enhance these detection and response functions.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1566.001 Phishing: Spearphishing Attachment, T1566.002 Phishing: Spearphishing Link |
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
Rule body splunk
name: O365 Threat Intelligence Suspicious Email Delivered
id: 605cc93a-70e4-4ee3-9a3d-1a62e8c9b6c2
version: 12
creation_date: '2024-04-07'
modification_date: '2026-05-13'
author: Steven Dick
status: production
type: Anomaly
description: The following analytic identifies when a suspicious email is detected within the Microsoft Office 365 ecosystem through the Advanced Threat Protection engine and delivered to an end user. Attackers may execute several attacks through email, any detections from built-in Office 365 capabilities should be monitored and responded to appropriately. Certain premium Office 365 capabilities such as Safe Attachment and Safe Links further enhance these detection and response functions.
data_source:
- Office 365 Universal Audit Log
search: |-
`o365_management_activity` Workload=ThreatIntelligence Operation=TIMailData DeliveryAction!=Blocked Directionality=InBound
| rename P2Sender as src_user, P1Sender as sender, Recipients{} as user, DeliveryAction as action
| stats values(SenderIp) as src, values(Subject) as subject, values(user) as user, values(action) as action, values(SystemOverrides{}.Details) as reason, values(LatestDeliveryLocation) as result, values(ThreatsAndDetectionTech{}) as category, values(AttachmentData{}.FileName) as file_name, values(AttachmentData{}.FileType) as file_type, values(AttachmentData{}.SHA256) as file_hash values(DetectionMethod) as signature, min(_time) as firstTime max(_time) as lastTime, count
BY src_user,sender,dest,vendor_account,vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_threat_intelligence_suspicious_email_delivered_filter`
how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The threat intelligence workload is typically only visible to E3/E5 level customers.
known_false_positives: No false positives have been identified at this time.
references:
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-for-spo-odfb-teams-about?view=o365-worldwide
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-ti?view=o365-worldwide
drilldown_searches:
- name: View the detection results for - "$user$" and "$src_user$"
search: '%original_detection_search% | search user = "$user$" src_user = "$src_user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$src_user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
intermediate_findings:
entities:
- field: user
type: user
score: 20
message: A suspicious email was delivered to $user$ by $src_user$ matching the $signature$ signature
- field: src_user
type: user
score: 20
message: A suspicious email was delivered to $user$ by $src_user$ matching the $signature$ signature
threat_objects:
- field: subject
type: email_subject
analytic_story:
- Spearphishing Attachments
- Suspicious Emails
asset_type: O365 Tenant
mitre_attack_id:
- T1566.001
- T1566.002
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: cloud
security_domain: threat
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log
sourcetype: o365:management:activity
source: o365
test_type: unit
Stages and Predicates
Stage 1: search
`o365_management_activity` Workload=ThreatIntelligence Operation=TIMailData DeliveryAction!=Blocked Directionality=InBound
Stage 2: rename
| rename P2Sender as src_user, P1Sender as sender, Recipients{} as user, DeliveryAction as action
Stage 3: stats
| stats values(SenderIp) as src, values(Subject) as subject, values(user) as user, values(action) as action, values(SystemOverrides{}.Details) as reason, values(LatestDeliveryLocation) as result, values(ThreatsAndDetectionTech{}) as category, values(AttachmentData{}.FileName) as file_name, values(AttachmentData{}.FileType) as file_type, values(AttachmentData{}.SHA256) as file_hash values(DetectionMethod) as signature, min(_time) as firstTime max(_time) as lastTime, count
BY src_user,sender,dest,vendor_account,vendor_product
Stage 4: search
| `security_content_ctime(firstTime)`
Stage 5: search
| `security_content_ctime(lastTime)`
Stage 6: search
| `o365_threat_intelligence_suspicious_email_delivered_filter`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
DeliveryAction | ne |
|
Directionality | eq |
|
Operation | eq |
|
Workload | eq |
|
sourcetype | eq |
|