Microsoft Defender XDR: New Hunting Query for Delegate Mailbox Phish Reporting Analysis

What Changed

Added a new hunting query “Identify acting user for reported phish” to both standalone and Microsoft Defender XDR solution paths. This query correlates user-reported phishing alerts with mailbox activity to determine the actual acting user.

Query Logic

• Primary data sources: AlertEvidence, CloudAppEvents
• Core logic: Joins user phish reports (AlertEvidence where Title == “Email reported by user as malware or phish”) with deleted items activity (CloudAppEvents with MovedToDeletedItems actions) on InternetMessageId
• Entity comparison: Normalizes and compares recipient email addresses with acting user email addresses to determine if they match
• Output: Returns detailed correlation showing alert timing, message details, and whether recipient matches the acting user

Detection Surface

This query addresses investigation gaps in email security workflows where:

• Delegates report messages on behalf of other users
• Shared mailbox users report messages under different identities
• SOC analysts need to understand the true chain of custody for phish reports

The query enables analysts to distinguish between legitimate delegate actions and potential account compromise scenarios where an unexpected user is handling mailbox operations.

Affected Files

Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Submissions/Identify acting user for reported phish.yaml
Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Submissions/Identify acting user for reported phish.yaml