Microsoft Defender XDR: Email Hunting Queries Fixed to Reference Correct Connector, Three New Teams/Phish Queries Added

What Changed

Four Hunting Queries were modified and the Microsoft Defender XDR Data Connector UI definition was updated:

Connector Reference Fix (3 queries):

• Check for spoofing attempts on the domain with Authentication failures.yaml
• Delivered Bad Emails from Top bad IPv4 addresses.yaml
• EmailDelivered-ToInbox.yaml

All three had connectorId: OfficeATP mapped against dataTypes: EmailEvents. EmailEvents is a Defender XDR table, not a Defender for Office 365 (OfficeATP) table. This mismatch caused the Content Hub prerequisite check to flag the wrong connector, meaning customers who had Defender XDR (MicrosoftThreatProtection) connected but not the legacy OfficeATP connector would not be correctly guided to the required data source.

Punycode Lookalike Domains Query (updated): The Punycode chars lookalike domains.yaml query adds column_ifexists() guards for ThreadName, ThreadType, MessageType, MessageSubtype, and Subject fields on the MessageEvents table join branch. Without these guards, Teams environments where those fields are absent would cause the join to fail or return nulls for the Teams findings branch of the union isfuzzy=true EmailFindings, TeamsFindings result set.

New Hunting Queries (3 added, referenced in ReleaseNotes):

• Hunt for RMM tool execution following Teams messages (T1219)
• Hunt for alerts correlated with Teams messages
• Identify acting user for reported phish (T1566)

These queries are listed in the release notes but their YAML files are not present in the diff – only packaging artefacts (mainTemplate.json, createUiDefinition.json) reflect their addition.

Detection Logic

Connector ID fix queries: Primary table is EmailEvents. Logic unchanged – only the connectorId prerequisite metadata was corrected from OfficeATP to MicrosoftThreatProtection.

Punycode query: Joins suspicious punycode domain results against MessageEvents (Teams) via TeamsMessageId. The column_ifexists() additions are a schema-safety guard, not a logic change. The union of EmailFindings and TeamsFindings is preserved.

Security Impact (Visibility and Fidelity)

The connector ID mismatch on three queries is a metadata fidelity gap: customers using the Defender XDR connector (correct) but not the legacy OfficeATP connector would see these queries flagged as having unsatisfied data source requirements. In environments where this suppressed query visibility, phishing delivery and spoofing detections against EmailEvents may have gone unexecuted.

The column_ifexists() fix in the Punycode query ensures the Teams findings branch does not silently drop rows when schema fields are absent – previously, any MessageEvents row missing those columns would cause a runtime error or null expansion in the project clause, effectively blinding the Teams path of this phishing domain detection.

Data Connector Update

The MicrosoftThreatProtection.JSON connector definition adds “Microsoft Defender XDR” as an accepted ProductName value in three KQL filters: the connectivity metric baseQuery, the sample query for alerts, and the lastDataReceivedQuery for the SecurityAlert data type. Without this addition, SecurityAlert rows tagged with ProductName == “Microsoft Defender XDR” were excluded from the connector health check and sample query results – a data visibility gap in the connector UI, not in raw ingestion.

MITRE Mapping

• T1566 – Phishing (email delivery hunting queries, phish reporter identity query)
• T1219 – Remote Access Software (RMM tool execution via Teams query)
• T1078 – Valid Accounts (referenced in PR MITRE metadata)

Affected Files

Solutions/Microsoft Defender XDR/Data Connectors/MicrosoftThreatProtection.JSON
Solutions/Microsoft Defender XDR/Hunting Queries/Check for spoofing attempts on the domain with Authentication failures.yaml
Solutions/Microsoft Defender XDR/Hunting Queries/Delivered Bad Emails from Top bad IPv4 addresses.yaml
Solutions/Microsoft Defender XDR/Hunting Queries/Email and Collaboration Queries/Phish/Punycode chars lookalike domains.yaml
Solutions/Microsoft Defender XDR/Hunting Queries/EmailDelivered-ToInbox.yaml
(packaging artefacts: 3.0.15.zip, ReleaseNotes.md, Solution_Microsoft Defender XDR.json, createUiDefinition.json, mainTemplate.json)