KQL Search

Query Details

HomeAI ToolsDevice Query

Email Events Find Users Who Read Malicious Email

Query

//When a malicious email is received, list all the users who received it and all the users who read it

//Data connector required for this query - M365 Defender - Email* tables
//Data connector required for this query - Office 365

//First find all the users who received the email
EmailEvents
| where EmailDirection == "Inbound"
//Add in your malicious subject or malicious sender address
| where Subject == "Malicious Subject Name" or SenderFromAddress == "[email protected]"
| project RecipientEmailAddress, Subject, InternetMessageId, SenderFromAddress
//Combine that data with the OfficeActivity table which tracks whether an email was accessed
| join kind=inner (
    OfficeActivity
    | where Operation == "MailItemsAccessed"
    | mv-expand todynamic(Folders)
    | extend FolderItems = Folders.FolderItems
    | mv-expand FolderItems
    | extend InternetMessageId = tostring(FolderItems.InternetMessageId)
    | project UserId, InternetMessageId
    )
    on InternetMessageId
//Create summary of data listing the count and all the users who received the email vs the list and count of those that read it
| summarize
    ['Receipient Count']=dcount(RecipientEmailAddress),
    ['Users Who Received Email']=make_set(RecipientEmailAddress),
    ['Reader Count']=dcount(UserId),
    ['Users Who Read Email']=make_set(UserId)
    by SenderFromAddress, Subject, InternetMessageId

Explanation

This query is used to identify users who received a malicious email and users who read it. It combines data from the EmailEvents table and the OfficeActivity table.

First, it filters the EmailEvents table to find inbound emails with a specific malicious subject or sender address. It then selects the recipient email addresses, subject, internet message ID, and sender address.

Next, it joins this data with the OfficeActivity table, which tracks email access. It expands the Folders column, expands the FolderItems column, and extracts the internet message ID. It selects the user ID and internet message ID.

Finally, it summarizes the data by counting the number of recipients and readers. It also creates sets of the users who received the email and the users who read it. The summary includes the sender address, subject, and internet message ID.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

EmailEventsOfficeActivity

Keywords

EmailEvents,OfficeActivity

Operators

whereorprojectjoinkind=innerwheremv-expandextendprojectonsummarizedcountmake_setby

Actions