emoji of a wave • kql for advanced threat hunting

dec 22, 2025

Kusto Queries for Advanced Hunting in Defender XDR

Sometimes Defender's Threat Explorer doesn't quite get you there. Sometimes you wanna take a search and back that up with some automation. Here a some KQL queries that I keep handy for scenarios like that.

Hunting for emails with a URL that contains a pattern

KQL

EmailUrlInfo
| where Url contains "https://someURLyouareHunting"
| join kind=inner (
    EmailEvents
    | project NetworkMessageId, SenderFromAddress, RecipientEmailAddress, Subject, Timestamp
) on NetworkMessageId
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, Url
| order by Timestamp desc

Sender Impersonation Searches

KQL

EmailEvents
| where SenderDisplayName == "Something" and SenderFromDomain != "something.com" and EmailDirection == "Inbound" and DeliveryAction == "Delivered"
| project Timestamp, SenderFromAddress, SenderDisplayName, Subject, RecipientEmailAddress, DeliveryAction, DeliveryLocation, NetworkMessageId, ReportId

KQL

EmailEvents
| where (SenderFromDomain contains "something" or SenderDisplayName contains "something") and SenderFromDomain != "something.com" and EmailDirection == "Inbound" and DeliveryLocation == "Inbox/folder"
| project Timestamp, SenderFromAddress, SenderFromDomain, Subject, RecipientEmailAddress, DeliveryAction, DeliveryLocation
| sort by Timestamp desc

"Shared with you..." Email Searches

KQL

EmailEvents
| where Timestamp > ago(30d) and not(
    SenderFromAddress has "something.com" or
    SenderFromAddress has "google.com" or
    SenderFromAddress has "facebookmail.com"
    ) and 
    Subject contains "has shared" and
    LatestDeliveryLocation == "Inbox/folder"
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject
| sort by Timestamp desc

Email subject search where sender domain does not equal something

KQL

EmailEvents
| where Timestamp > ago(30d)
| where SenderFromAddress !contains "something.com" and 
        Subject has "wire transfer"
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, LatestDeliveryLocation, ReportId
| sort by Timestamp desc

Scammy/Phishing Emails that were delivered to a mailbox

KQL

EmailEvents
| where SenderDisplayName contains "|" and 
        LatestDeliveryLocation !in ("Quarantine", "Deleted items", "On-premises/external", "Forwarded") 
| project Timestamp, SenderFromAddress, SenderDisplayName, SenderFromDomain, Subject, LatestDeliveryLocation, RecipientEmailAddress
| sort by Timestamp desc