6/25/2025 Important update regarding the cloud hosted Mailbox External Recipient Rate Limit: In order to reduce the impact on customers, Microsoft has again decided to delay the rollout of the cloud ...
Updated Jun 25, 2025
Version 14.0
Blog Post
JeremyTBradshaw, that's looks a really good method of quickly querying the data.
I changed this slightly to only return when the "SenderFromAddress" count is above 2000, this lets me query for the full 30 days available via Defender.
let acceptedDomains = datatable (domain: string) [@'AcceptedDomain1.ca',@'AcceptedDomain2.ca'];
EmailEvents
| where InternetMessageId endswith "PROD.OUTLOOK.COM>"
| where EmailDirection =~ 'Outbound' and SenderFromDomain in~ (acceptedDomains)
| summarize count() by SenderFromAddress, bin(Timestamp, 1d)
| where count_ > 2000
We also collect the same O365 audit logs into Sentinel so have 90 days worth (as it's free to ingest and retain these for 90 days with an E3 licence), so it's possible to query for the last 90 days.
Many thanks for this, it's looks like it will give use a full years worth of data if we run it every 90 days until the change.
Unless I've done anything wrong!