MTP Advanced Hunting – Public free E-Mail services

Today I received an e-mail from a customer explaining to me that at times they have false positives with e-mail Impersonation. Depending on your configuration the e-mail will end up being moved to the user’s junk folder or into quarantine. When releasing such a message and have safety tips turned on, you might see the following message at the top of the message.

Reading Tip: Protect yourself from phishing schemes and other forms of online fraud

This can happen when for example a co-worker who works on a project for a client has a identity created within the customer’s environment. When John Doe who works with me at sends me an e-mail as it’s very likely that Office ATP identifies this as an impersonation attempt. The case of my customer was that a senior person was sending e-mail to themselves from their personal e-mail account. Example: sends e-mail to

This triggered the idea write some MTP advanced hunting queries on public free e-mail services. In the first query, I going to look at the e-mail received from free e-mail services.

The variable emailservicedomains contains a list of most popular free email services across the globe.

What we get is a list of all the e-mail received from the defined e-mail domains.

By adding | render piechart at the end of query we get a nice graph.

Now let’s turn things around and take a look at how much e-mail is send to free e-mail service domains.

What we get is a list of all the e-mail send to the defined e-mail domains.

Next, let’s take a look at emails where user impersonation was detected.

For privacy reasons, I can’t show you the output of the above query, but I suggest you run it in your domain and look at the results.

Office ATP has several Phish detection methods, so simply change the query as shown below to get a list of possible methods detected.

Change the query as following to identify the users affected

As always, I hope you enjoyed reading this blog post, comments, suggestions are always welcome


Leave a Reply