From 697e29ac354b56678e726c8ff6a9990b4720f90d Mon Sep 17 00:00:00 2001
From: damozes1 <45426291+damozes1@users.noreply.github.com>
Date: Wed, 29 Jan 2025 16:09:35 +0100
Subject: [PATCH] Adding new MDO Advance hunting queries

---
 ...tions and suspicious sign-in activity.yaml | 26 +++++++++++++
 .../BEC - File sharing tactics - Dropbox.yaml | 30 +++++++++++++++
 ...ring tactics - OneDrive or SharePoint.yaml | 38 +++++++++++++++++++
 .../Hunt for email bombing attacks.yaml       | 25 ++++++++++++
 ...s sending inbound emails with threats.yaml | 26 +++++++++++++
 .../Possible Teams phishing activity.yaml     | 34 +++++++++++++++++
 ...on - BEC LLM detections - daily trend.yaml | 21 ++++++++++
 ...cation - BEC LLM detections - summary.yaml | 21 ++++++++++
 .../AIR investigation actions insight.yaml    | 35 +++++++++++++++++
 .../Hunt for email bombing attacks.yaml       | 25 ++++++++++++
 ...s sending inbound emails with threats.yaml | 26 +++++++++++++
 .../Possible Teams phishing activity.yaml     | 34 +++++++++++++++++
 ...on - BEC LLM detections - daily trend.yaml | 21 ++++++++++
 ...cation - BEC LLM detections - summary.yaml | 21 ++++++++++
 .../AIR investigation actions insight.yaml    | 35 +++++++++++++++++
 15 files changed, 418 insertions(+)
 create mode 100644 Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Automated email notifications and suspicious sign-in activity.yaml
 create mode 100644 Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/BEC - File sharing tactics - Dropbox.yaml
 create mode 100644 Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/BEC - File sharing tactics - OneDrive or SharePoint.yaml
 create mode 100644 Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for email bombing attacks.yaml
 create mode 100644 Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Top outbound recipient domains sending inbound emails with threats.yaml
 create mode 100644 Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/Possible Teams phishing activity.yaml
 create mode 100644 Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/Threat classification - BEC LLM detections - daily trend.yaml
 create mode 100644 Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/Threat classification - BEC LLM detections - summary.yaml
 create mode 100644 Hunting Queries/Microsoft 365 Defender/Email Queries/Remediation/AIR investigation actions insight.yaml
 create mode 100644 Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/Hunt for email bombing attacks.yaml
 create mode 100644 Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/Top outbound recipient domains sending inbound emails with threats.yaml
 create mode 100644 Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Phish/Possible Teams phishing activity.yaml
 create mode 100644 Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Phish/Threat classification - BEC LLM detections - daily trend.yaml
 create mode 100644 Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Phish/Threat classification - BEC LLM detections - summary.yaml
 create mode 100644 Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Remediation/AIR investigation actions insight.yaml

diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Automated email notifications and suspicious sign-in activity.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Automated email notifications and suspicious sign-in activity.yaml
new file mode 100644
index 00000000000..7be0dd24551
--- /dev/null
+++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Automated email notifications and suspicious sign-in activity.yaml	
@@ -0,0 +1,26 @@
+id: a7acfaf4-e03e-409d-a16e-dcde33f7dba3
+name: Automated email notifications and suspicious sign-in activity
+description: |
+  This query helps hunting for Automated email notifications and suspicious sign-in activity
+description-detailed: |
+  This query helps hunting for Automated email notifications and suspicious sign-in activity. 
+  By correlating the email from the Microsoft notification service or Dropbox automated notification service with a suspicious sign-in activity, we can identify compromises, especially from securely shared SharePoint or Dropbox files.
+  Shared by Microsoft Threat Intelligence: https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+  - AADSignInEventsBeta
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+ let usersWithSuspiciousEmails = EmailEvents
+ | where SenderFromAddress in ("no-reply@notify.microsoft.com", "no-reply@dropbox.com") or InternetMessageId startswith "<OneTimePasscode"
+ | where isnotempty(RecipientObjectId)
+ | distinct RecipientObjectId;
+ AADSignInEventsBeta
+ | where AccountObjectId in (usersWithSuspiciousEmails)
+ | where RiskLevelDuringSignIn == 100
+version: 1.0.0
\ No newline at end of file
diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/BEC - File sharing tactics - Dropbox.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/BEC - File sharing tactics - Dropbox.yaml
new file mode 100644
index 00000000000..6d73ca693d9
--- /dev/null
+++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/BEC - File sharing tactics - Dropbox.yaml	
@@ -0,0 +1,30 @@
+id: 6e056084-8951-460d-93f9-525880062de9
+name: BEC - File sharing tactics - Dropbox
+description: |
+  This query helps hunting for BEC - File sharing tactics - Dropbox
+description-detailed: |
+  This query helps hunting for BEC - File sharing tactics - Dropbox. 
+  It highlights that highlights that a file hosted on Dropbox has been shared with multiple participants.
+  Shared by Microsoft Threat Intelligence: https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - CloudAppEvents
+tactics:
+  - LateralMovement
+relevantTechniques:
+  - T1021
+query: |
+  CloudAppEvents
+  | where ActionType in ("Added users and/or groups to shared file/folder", "Invited user to Dropbox and added them to shared file/folder")
+  | where Application == "Dropbox"
+  | where ObjectType == "File"
+  | extend FileShared = tostring(ObjectName)
+  | where isnotempty(FileShared)
+  | mv-expand ActivityObjects
+  | where ActivityObjects.Type == "Account" and ActivityObjects.Role == "To"
+  | extend SharedBy = AccountId
+  | extend UserSharedWith = tostring(ActivityObjects.Name)
+  | summarize dcount(UserSharedWith) by FileShared, AccountObjectId
+  | where dcount_UserSharedWith >= 20
+version: 1.0.0
\ No newline at end of file
diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/BEC - File sharing tactics - OneDrive or SharePoint.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/BEC - File sharing tactics - OneDrive or SharePoint.yaml
new file mode 100644
index 00000000000..68df60ccef8
--- /dev/null
+++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/BEC - File sharing tactics - OneDrive or SharePoint.yaml	
@@ -0,0 +1,38 @@
+id: cf8d2c27-8310-4b13-b135-1ba59ae0a3a2
+name: BEC - File sharing tactics - OneDrive or SharePoint
+description: |
+  This query helps hunting for BEC - File sharing tactics - OneDrive or SharePoint
+description-detailed: |
+  This query helps hunting for BEC - File sharing tactics - OneDrive or SharePoint. 
+  It highlights that a specific file has been shared by a user with multiple participants. Correlating this activity with suspicious sign-in attempts preceding this can help identify lateral movements and BEC attacks.
+  Shared by Microsoft Threat Intelligence: https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - CloudAppEvents
+tactics:
+  - LateralMovement
+relevantTechniques:
+  - T1021
+query: |
+  let securelinkCreated = CloudAppEvents
+  | where ActionType == "SecureLinkCreated"
+  | project FileCreatedTime = Timestamp, AccountObjectId, ObjectName;
+  let filesCreated = securelinkCreated
+  | where isnotempty(ObjectName)
+  | distinct tostring(ObjectName);
+  CloudAppEvents
+  | where ActionType == "AddedToSecureLink"
+  | where Application in ("Microsoft SharePoint Online", "Microsoft OneDrive for Business")
+  | extend FileShared = tostring(RawEventData.ObjectId)
+  | where FileShared in (filesCreated)
+  | extend UserSharedWith = tostring(RawEventData.TargetUserOrGroupName)
+  | extend TypeofUserSharedWith = RawEventData.TargetUserOrGroupType
+  | where TypeofUserSharedWith == "Guest"
+  | where isnotempty(FileShared) and isnotempty(UserSharedWith)
+  | join kind=inner securelinkCreated on $left.FileShared==$right.ObjectName
+  // Secure file created recently (in the last 1day)
+  | where (Timestamp - FileCreatedTime) between (1d .. 0h)
+  | summarize NumofUsersSharedWith = dcount(UserSharedWith) by FileShared
+  | where NumofUsersSharedWith >= 20
+version: 1.0.0
\ No newline at end of file
diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for email bombing attacks.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for email bombing attacks.yaml
new file mode 100644
index 00000000000..f8b2904ce96
--- /dev/null
+++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for email bombing attacks.yaml	
@@ -0,0 +1,25 @@
+id: 24eb9c13-c188-4b3c-8e89-654e56ce4c56
+name: Hunt for email bombing attacks
+description: |
+  This query helps to hunt for possible email bombing attacks in Microsoft Defender for Office 365.
+description-detailed: |
+  In this type of attacks threat actors initiate link listing attacks - a type of email bombing attack, where threat actors sign up targeted emails to multiple email subscription services to flood email addresses indirectly with subscribed content.
+  More details: https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/ and https://www.hhs.gov/sites/default/files/email-bombing-sector-alert-tlpclear.pdf
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailEvents
+  | where EmailDirection == "Inbound"
+  | make-series Emailcount = count()
+                on Timestamp step 1h by RecipientObjectId
+  | extend (Anomalies, AnomalyScore, ExpectedEmails) = series_decompose_anomalies(Emailcount)
+  | mv-expand Emailcount, Anomalies, AnomalyScore, ExpectedEmails to typeof(double), Timestamp
+  | where Anomalies != 0
+  | where AnomalyScore >= 10
+version: 1.0.0
\ No newline at end of file
diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Top outbound recipient domains sending inbound emails with threats.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Top outbound recipient domains sending inbound emails with threats.yaml
new file mode 100644
index 00000000000..2fa60556c0b
--- /dev/null
+++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Top outbound recipient domains sending inbound emails with threats.yaml	
@@ -0,0 +1,26 @@
+id: 61bd29e8-fcfa-4f10-bc8f-b3a64e9493f7
+name: Top outbound recipient domains sending inbound emails with threats
+description: |
+  This query helps hunting for top outbound recipient domains which are sending inbound emails with threats
+description-detailed: |
+  This query helps hunting for top outbound recipient domains which are sending inbound emails with threats. 
+  Top outbound recipient domains by volume and number of inbound emails from the same domains as senders with threats.
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailEvents
+  | where EmailDirection == "Outbound"
+  | project RecipientDomain = tostring(split(RecipientEmailAddress, "@")[1])
+  | summarize count() by RecipientDomain
+  | project OutboundCount=count_, RecipientDomain, SenderFromDomain=RecipientDomain
+  | join (EmailEvents | where EmailDirection == "Inbound" and isempty(ThreatTypes)==false) on SenderFromDomain
+  | summarize max(OutboundCount),count() by SenderFromDomain
+  | project SenderFromDomain, OutboundEmails=max_OutboundCount, IncomingEmailsWithThreats=count_
+  | sort by OutboundEmails
+version: 1.0.0
\ No newline at end of file
diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/Possible Teams phishing activity.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/Possible Teams phishing activity.yaml
new file mode 100644
index 00000000000..0dc10c95e37
--- /dev/null
+++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/Possible Teams phishing activity.yaml	
@@ -0,0 +1,34 @@
+id: ca7f7287-d688-4256-ae46-e68ad2f657c8
+name: Possible Teams phishing activity
+description: |
+  This query looks for possible Teams phishing activity.
+description-detailed: |
+  This query looks for possible Teams phishing activity.
+  Shared by Microsoft Threat Intelligence:https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - DeviceProcessEvents
+  - CloudAppEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  let suspiciousUpns = DeviceProcessEvents
+  | where DeviceId == "alertedMachine"
+  | where isnotempty(InitiatingProcessAccountUpn)
+  | project InitiatingProcessAccountUpn;
+  CloudAppEvents
+  | where Application == "Microsoft Teams"
+  | where ActionType == "ChatCreated"
+  | where isempty(AccountObjectId)
+  | where RawEventData.ParticipantInfo.HasForeignTenantUsers == true
+  | where RawEventData.CommunicationType == "OneonOne"
+  | where RawEventData.ParticipantInfo.HasGuestUsers == false
+  | where RawEventData.ParticipantInfo.HasOtherGuestUsers == false
+  | where RawEventData.Members[0].DisplayName in ("Microsoft  Security", "Help Desk", "Help Desk Team", "Help Desk IT", "Microsoft Security", "office")
+  | where AccountId has "@"
+  | extend TargetUPN = tolower(tostring(RawEventData.Members[1].UPN))
+  | where TargetUPN in (suspiciousUpns)
+version: 1.0.0
\ No newline at end of file
diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/Threat classification - BEC LLM detections - daily trend.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/Threat classification - BEC LLM detections - daily trend.yaml
new file mode 100644
index 00000000000..2a57b178cbe
--- /dev/null
+++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/Threat classification - BEC LLM detections - daily trend.yaml	
@@ -0,0 +1,21 @@
+id: 629b1650-38a4-42a2-9017-96b1d8c91cd7
+name: Threat classification - BEC LLM detections - daily trend
+description: |
+  This query helps to provide a daily trend of Threat classification - BEC LLM detections by classification type in Microsoft Defender for Office 365.
+description-detailed: |
+  This query helps to provide a daily trend of Threat classification - BEC LLM detections by classification type in Microsoft Defender for Office 365.
+  More details: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/microsoft-ignite-redefining-email-security-with-llms-to-tackle-a-new-era-of-soci/4302421
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailEvents
+  | where ThreatClassification has_any ("Contact establishment","Gift card","Task","Business intelligence","PII gathering","Payroll","Invoice")
+  | summarize count() by ThreatClassification, bin(Timestamp, 1d)
+  | render linechart
+version: 1.0.0
\ No newline at end of file
diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/Threat classification - BEC LLM detections - summary.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/Threat classification - BEC LLM detections - summary.yaml
new file mode 100644
index 00000000000..eb2d1047e77
--- /dev/null
+++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/Threat classification - BEC LLM detections - summary.yaml	
@@ -0,0 +1,21 @@
+id: 797cabdd-e162-42ff-b555-554583738d35
+name: Threat classification - BEC LLM detections - summary
+description: |
+  This query helps to provide a summary of Threat classification - BEC LLM detections in Microsoft Defender for Office 365.
+description-detailed: |
+  This query helps to provide a summary of Threat classification - BEC LLM detections in Microsoft Defender for Office 365.
+  More details: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/microsoft-ignite-redefining-email-security-with-llms-to-tackle-a-new-era-of-soci/4302421
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailEvents
+  | where ThreatClassification has_any ("Contact establishment","Gift card","Task","Business intelligence","PII gathering","Payroll","Invoice")
+  | summarize count() by ThreatClassification
+  | render piechart
+version: 1.0.0
\ No newline at end of file
diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Remediation/AIR investigation actions insight.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Remediation/AIR investigation actions insight.yaml
new file mode 100644
index 00000000000..c583f7fdef7
--- /dev/null
+++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Remediation/AIR investigation actions insight.yaml	
@@ -0,0 +1,35 @@
+id: 28a1ce89-ee88-47b3-872b-fb5c3c8b350c
+name: AIR investigation actions insight
+description: |
+  This query provides insights into AIR investigation actions in Microsoft Defender for Office 365.
+description-detailed: |
+  This query provides insights into AIR investigation results approval actions (Approved, Declined etc.) in Microsoft Defender for Office 365.
+  More information:https://learn.microsoft.com/en-us/defender-office-365/air-remediation-actions and https://learn.microsoft.com/en-us/defender-office-365/air-review-approve-pending-completed-actions
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - CloudAppEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  CloudAppEvents
+  | where ActionType == "AirInvestigationData"
+  | project Timestamp, RawEventData
+  | extend EventData = parse_json(RawEventData)
+  | extend Data = parse_json(tostring(EventData.Data))
+  | extend InvestigationType = EventData.InvestigationType
+  | extend InvestigationId = RawEventData.InvestigationId
+  | extend Status = tostring(Data.Status)
+  | where Status == "Resolved"
+  | extend ActionRaw = parse_json(tostring(EventData.Actions))
+  | mv-expand ActionRaw
+  | extend Action = parse_json(tostring(ActionRaw))
+  | extend ActionType=Action.ActionType, ActionApproval=Action.ActionApproval, ApprovedBy=Action.ApprovedBy, ApproverComment=Action.ApproverComment, ActionStatus=Action.ActionStatus
+  | mv-expand Action.Entities
+  | extend EntityQuery = Action_Entities.Query
+  | mv-expand Action_Entities.Urls, Action_Entities.NetworkMessageIds
+  | sort by Timestamp
+  | project Timestamp, InvestigationType, InvestigationId, ActionType, ActionApproval, ApprovedBy, ApproverComment, ActionStatus, EntityQuery, Action_Entities_Urls, Action_Entities_NetworkMessageIds
+version: 1.0.0
\ No newline at end of file
diff --git a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/Hunt for email bombing attacks.yaml b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/Hunt for email bombing attacks.yaml
new file mode 100644
index 00000000000..f7724c6c63c
--- /dev/null
+++ b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/Hunt for email bombing attacks.yaml	
@@ -0,0 +1,25 @@
+id: dd4a480b-aa24-4b62-b1f3-f538d8abbdfb
+name: Hunt for email bombing attacks
+description: |
+  This query helps to hunt for possible email bombing attacks in Microsoft Defender for Office 365.
+description-detailed: |
+  In this type of attacks threat actors initiate link listing attacks - a type of email bombing attack, where threat actors sign up targeted emails to multiple email subscription services to flood email addresses indirectly with subscribed content.
+  More details: https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/ and https://www.hhs.gov/sites/default/files/email-bombing-sector-alert-tlpclear.pdf
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailEvents
+  | where EmailDirection == "Inbound"
+  | make-series Emailcount = count()
+                on Timestamp step 1h by RecipientObjectId
+  | extend (Anomalies, AnomalyScore, ExpectedEmails) = series_decompose_anomalies(Emailcount)
+  | mv-expand Emailcount, Anomalies, AnomalyScore, ExpectedEmails to typeof(double), Timestamp
+  | where Anomalies != 0
+  | where AnomalyScore >= 10
+version: 1.0.0
\ No newline at end of file
diff --git a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/Top outbound recipient domains sending inbound emails with threats.yaml b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/Top outbound recipient domains sending inbound emails with threats.yaml
new file mode 100644
index 00000000000..3fb2d240c95
--- /dev/null
+++ b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/Top outbound recipient domains sending inbound emails with threats.yaml	
@@ -0,0 +1,26 @@
+id: 38d6e2fb-a804-4170-8d32-d251ecd6bcd2
+name: Top outbound recipient domains sending inbound emails with threats
+description: |
+  This query helps hunting for top outbound recipient domains which are sending inbound emails with threats
+description-detailed: |
+  This query helps hunting for top outbound recipient domains which are sending inbound emails with threats. 
+  Top outbound recipient domains by volume and number of inbound emails from the same domains as senders with threats.
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailEvents
+  | where EmailDirection == "Outbound"
+  | project RecipientDomain = tostring(split(RecipientEmailAddress, "@")[1])
+  | summarize count() by RecipientDomain
+  | project OutboundCount=count_, RecipientDomain, SenderFromDomain=RecipientDomain
+  | join (EmailEvents | where EmailDirection == "Inbound" and isempty(ThreatTypes)==false) on SenderFromDomain
+  | summarize max(OutboundCount),count() by SenderFromDomain
+  | project SenderFromDomain, OutboundEmails=max_OutboundCount, IncomingEmailsWithThreats=count_
+  | sort by OutboundEmails
+version: 1.0.0
\ No newline at end of file
diff --git a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Phish/Possible Teams phishing activity.yaml b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Phish/Possible Teams phishing activity.yaml
new file mode 100644
index 00000000000..20f5e7a9791
--- /dev/null
+++ b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Phish/Possible Teams phishing activity.yaml	
@@ -0,0 +1,34 @@
+id: 01cf63bd-debd-4d03-847c-d19c31844501
+name: Possible Teams phishing activity
+description: |
+  This query looks for possible Teams phishing activity.
+description-detailed: |
+  This query looks for possible Teams phishing activity.
+  Shared by Microsoft Threat Intelligence:https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - DeviceProcessEvents
+  - CloudAppEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  let suspiciousUpns = DeviceProcessEvents
+  | where DeviceId == "alertedMachine"
+  | where isnotempty(InitiatingProcessAccountUpn)
+  | project InitiatingProcessAccountUpn;
+  CloudAppEvents
+  | where Application == "Microsoft Teams"
+  | where ActionType == "ChatCreated"
+  | where isempty(AccountObjectId)
+  | where RawEventData.ParticipantInfo.HasForeignTenantUsers == true
+  | where RawEventData.CommunicationType == "OneonOne"
+  | where RawEventData.ParticipantInfo.HasGuestUsers == false
+  | where RawEventData.ParticipantInfo.HasOtherGuestUsers == false
+  | where RawEventData.Members[0].DisplayName in ("Microsoft  Security", "Help Desk", "Help Desk Team", "Help Desk IT", "Microsoft Security", "office")
+  | where AccountId has "@"
+  | extend TargetUPN = tolower(tostring(RawEventData.Members[1].UPN))
+  | where TargetUPN in (suspiciousUpns)
+version: 1.0.0
\ No newline at end of file
diff --git a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Phish/Threat classification - BEC LLM detections - daily trend.yaml b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Phish/Threat classification - BEC LLM detections - daily trend.yaml
new file mode 100644
index 00000000000..a44f441e9fa
--- /dev/null
+++ b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Phish/Threat classification - BEC LLM detections - daily trend.yaml	
@@ -0,0 +1,21 @@
+id: 1401f5d8-e4bd-4002-90a2-db53871302da
+name: Threat classification - BEC LLM detections - daily trend
+description: |
+  This query helps to provide a daily trend of Threat classification - BEC LLM detections by classification type in Microsoft Defender for Office 365.
+description-detailed: |
+  This query helps to provide a daily trend of Threat classification - BEC LLM detections by classification type in Microsoft Defender for Office 365.
+  More details: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/microsoft-ignite-redefining-email-security-with-llms-to-tackle-a-new-era-of-soci/4302421
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailEvents
+  | where ThreatClassification has_any ("Contact establishment","Gift card","Task","Business intelligence","PII gathering","Payroll","Invoice")
+  | summarize count() by ThreatClassification, bin(Timestamp, 1d)
+  | render linechart
+version: 1.0.0
\ No newline at end of file
diff --git a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Phish/Threat classification - BEC LLM detections - summary.yaml b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Phish/Threat classification - BEC LLM detections - summary.yaml
new file mode 100644
index 00000000000..16f6b59266f
--- /dev/null
+++ b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Phish/Threat classification - BEC LLM detections - summary.yaml	
@@ -0,0 +1,21 @@
+id: a167a423-195c-49d8-a828-93e40e3e6f26
+name: Threat classification - BEC LLM detections - summary
+description: |
+  This query helps to provide a summary of Threat classification - BEC LLM detections in Microsoft Defender for Office 365.
+description-detailed: |
+  This query helps to provide a summary of Threat classification - BEC LLM detections in Microsoft Defender for Office 365.
+  More details: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/microsoft-ignite-redefining-email-security-with-llms-to-tackle-a-new-era-of-soci/4302421
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailEvents
+  | where ThreatClassification has_any ("Contact establishment","Gift card","Task","Business intelligence","PII gathering","Payroll","Invoice")
+  | summarize count() by ThreatClassification
+  | render piechart
+version: 1.0.0
\ No newline at end of file
diff --git a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Remediation/AIR investigation actions insight.yaml b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Remediation/AIR investigation actions insight.yaml
new file mode 100644
index 00000000000..bfebad81db7
--- /dev/null
+++ b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Remediation/AIR investigation actions insight.yaml	
@@ -0,0 +1,35 @@
+id: 77104824-b41e-412d-8e50-26971fe97ab0
+name: AIR investigation actions insight
+description: |
+  This query provides insights into AIR investigation actions in Microsoft Defender for Office 365.
+description-detailed: |
+  This query provides insights into AIR investigation results approval actions (Approved, Declined etc.) in Microsoft Defender for Office 365.
+  More information:https://learn.microsoft.com/en-us/defender-office-365/air-remediation-actions and https://learn.microsoft.com/en-us/defender-office-365/air-review-approve-pending-completed-actions
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - CloudAppEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  CloudAppEvents
+  | where ActionType == "AirInvestigationData"
+  | project Timestamp, RawEventData
+  | extend EventData = parse_json(RawEventData)
+  | extend Data = parse_json(tostring(EventData.Data))
+  | extend InvestigationType = EventData.InvestigationType
+  | extend InvestigationId = RawEventData.InvestigationId
+  | extend Status = tostring(Data.Status)
+  | where Status == "Resolved"
+  | extend ActionRaw = parse_json(tostring(EventData.Actions))
+  | mv-expand ActionRaw
+  | extend Action = parse_json(tostring(ActionRaw))
+  | extend ActionType=Action.ActionType, ActionApproval=Action.ActionApproval, ApprovedBy=Action.ApprovedBy, ApproverComment=Action.ApproverComment, ActionStatus=Action.ActionStatus
+  | mv-expand Action.Entities
+  | extend EntityQuery = Action_Entities.Query
+  | mv-expand Action_Entities.Urls, Action_Entities.NetworkMessageIds
+  | sort by Timestamp
+  | project Timestamp, InvestigationType, InvestigationId, ActionType, ActionApproval, ApprovedBy, ApproverComment, ActionStatus, EntityQuery, Action_Entities_Urls, Action_Entities_NetworkMessageIds
+version: 1.0.0
\ No newline at end of file