Codestin Search App

Luke57 · 2026-01-31T14:06:19Z

Summary of the Pull Request

This PR adds three new detection rules for Microsoft 365 logs targeting the ThreatIntelligence workload within the audit service.

Internal Phishing: This rule catches malicious emails sent between internal accounts (Intraorg). It’s designed to spot compromised users trying to move laterally via phishing or malware.

Blocked Malicious Links: Tracks when Defender’s Safe Links successfully steps in. It logs whenever a user is stopped from opening a bad URL or held on a detonation page.

User Bypasses: It flags cases where a user sees the security warning but decides to click through to the site.

Changelog

new: Microsoft Defender For Office Suspicious Lateral Email
new: Microsoft Defender For Office Malicious URL Blocked
new: Microsoft Defender For Office Malicious URL Block Bypassed By User

Example Log Event

Lateral Email Flow (TIMailData)

{
  "CreationTime": "2026-01-28T12:12:33",
  "Id": "11111111-2222-3333-4444-555555555555",
  "Operation": "TIMailData",
  "OrganizationId": "00000000-0000-0000-0000-000000000000",
  "RecordType": 28,
  "UserKey": "ThreatIntel",
  "UserType": 4,
  "Version": 1,
  "Workload": "ThreatIntelligence",
  "ObjectId": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee11111111111111111111",
  "UserId": "ThreatIntel",
  "AdditionalActionsAndResults": [
    "OriginalDelivery: [N/A]"
  ],
  "AttachmentData": [
    {
      "FileName": "image001.png",
      "FileType": "png",
      "FileVerdict": 0,
      "SHA256": "795959370845b83eee7481fa62a5b4920ab01b912d4977dcc74bdafded41161b"
    }
  ],
  "AuthDetails": [
    {
      "Name": "DKIM",
      "Value": "None"
    },
    {
      "Name": "DMARC",
      "Value": "None"
    }
  ],
  "DeliveryAction": "Blocked",
  "DetectionMethod": "URL detonation reputation",
  "DetectionType": "Inline",
  "Directionality": "Intraorg",
  "EventDeepLink": "https://security.microsoft.com/?hash=/threatexplorer?messageParams=aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee,aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee-11111111111111111111-1,2026-01-28T00:00:00,2026-01-28T23:59:59&view=Phish",
  "InternetMessageId": "<[email protected]>",
  "LatestDeliveryLocation": "Quarantine",
  "MessageTime": "2026-01-28T12:10:14",
  "NetworkMessageId": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
  "OriginalDeliveryLocation": "Quarantine",
  "P1Sender": "[email protected]",
  "P2Sender": "[email protected]",
  "PhishConfidenceLevel": "High",
  "Policy": "HighConfidencePhish",
  "PolicyAction": "Quarantine",
  "Recipients": [
    "[email protected]"
  ],
  "SenderIp": "2001:db8:0:0:0:0:0:1",
  "Subject": "Sample Subject",
  "SystemOverrides": [],
  "ThreatsAndDetectionTech": [
    "Phish: [URL detonation reputation]"
  ],
  "Verdict": "Phish"
}

URL Click Interaction (TIUrlClickData)

{
  "CreationTime": "2026-02-17T07:31:44",
  "Id": "00000000-0000-0000-0000-000000000000",
  "Operation": "TIUrlClickData",
  "OrganizationId": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
  "RecordType": 41,
  "UserKey": "ThreatIntel",
  "Workload": "ThreatIntelligence",
  "UserId": "[email protected]",
  "AppName": "Mail",
  "TimeOfClick": "2026-02-17T07:31:14",
  "Url": "https://malicious-domain.top/auth/reset?token=REDACTED&[email protected]",
  "UrlClickAction": 2,
  "UserIp": "192.0.2.1"
}

Fixed Issues

SigmaHQ Rule Creation Conventions

If your PR adds new rules, please consider following and applying these conventions

Additional MDO rules.

Luke57 · 2026-02-23T13:59:44Z

For clarification, added two additional MDO rules.

Create microsoft365_suspicious_lateral_email.yml

0ea3a5d

github-actions bot added Rules Review Needed The PR requires review labels Jan 31, 2026

Luke57 added 5 commits January 31, 2026 16:26

Update microsoft365_suspicious_lateral_email.yml

9710a6d

Merge branch 'master' into m365_suspicious_internal_email

cf53a16

Merge branch 'master' into m365_suspicious_internal_email

fde8117

Merge branch 'master' into m365_suspicious_internal_email

4468055

Additional MDO rules.

a430e93

Additional MDO rules.

Luke57 changed the title ~~New Rule: Microsoft Defender For Office Suspicious Lateral Email~~ New Rules: Microsoft Defender For Office 365 Feb 18, 2026

Luke57 changed the title ~~New Rules: Microsoft Defender For Office 365~~ New Rules: Microsoft Defender for Office 365 Feb 19, 2026

Luke57 added 2 commits March 1, 2026 09:29

Merge branch 'master' into m365_suspicious_internal_email

fda9bb4

Merge branch 'master' into m365_suspicious_internal_email

e0d6243

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

New Rules: Microsoft Defender for Office 365#5849

New Rules: Microsoft Defender for Office 365#5849
Luke57 wants to merge 8 commits intoSigmaHQ:masterfrom
Luke57:m365_suspicious_internal_email

Luke57 commented Jan 31, 2026 •

edited

Loading

Uh oh!

Luke57 commented Feb 23, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

Luke57 commented Jan 31, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary of the Pull Request

Changelog

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

Uh oh!

Luke57 commented Feb 23, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Luke57 commented Jan 31, 2026 •

edited

Loading