Query Details

Find all attachments that have been send from a compromised mailbox and which devices have opened that attachment.

MDE MD365 Email Attachments Send From Compromised Mailbox

Query

let CompromisedMailbox = "[email protected]";
let SearchWindow = 48h; //Customizable h = hours, d = days
EmailEvents
| where TimeGenerated > ago(SearchWindow)
| where SenderFromAddress == CompromisedMailbox
| where AttachmentCount > 0
| join kind=leftouter EmailAttachmentInfo on NetworkMessageId
| project
     TimeGenerated,
     NetworkMessageId,
     SenderFromAddress,
     RecipientEmailAddress,
     Subject,
     ThreatTypes,
     SHA256
| join kind=leftouter DeviceFileEvents on SHA256
| summarize
     EmailReciepients = make_set(RecipientEmailAddress),
     Subject= make_set(Subject),
     FileOnDevices = make_set(DeviceName)
     by SHA256, NetworkMessageId
| extend
     TotalReciepients = array_length(EmailReciepients),
     DeviceWithFileInteraction = array_length(FileOnDevices)

About this query

Find all attachments that have been send from a compromised mailbox and which devices have opened that attachment.


Defender XDR

let CompromisedMailbox = "[email protected]";
let SearchWindow = 48h; //Customizable h = hours, d = days
EmailEvents
| where Timestamp > ago(SearchWindow)
| where SenderFromAddress == CompromisedMailbox
| where AttachmentCount > 0
| join kind=leftouter EmailAttachmentInfo on NetworkMessageId
| project
     Timestamp,
     NetworkMessageId,
     SenderFromAddress,
     RecipientEmailAddress,
     Subject,
     ThreatTypes,
     SHA256
| join kind=leftouter DeviceFileEvents on SHA256
| summarize
     EmailReciepients = make_set(RecipientEmailAddress),
     Subject= make_set(Subject),
     FileOnDevices = make_set(DeviceName)
     by SHA256, NetworkMessageId
| extend
     TotalReciepients = array_length(EmailReciepients),
     DeviceWithFileInteraction = array_length(FileOnDevices)

Sentinel

Explanation

This query is designed to identify and analyze email attachments sent from a compromised email account and determine which devices have interacted with those attachments. Here's a simplified breakdown of what the query does:

  1. Define Parameters:

    • It specifies a compromised email address ([email protected]) and a time window of 48 hours to search within.
  2. Filter Emails:

    • It searches for emails sent from the compromised email address within the last 48 hours.
    • It filters for emails that have attachments.
  3. Join Email and Attachment Data:

    • It combines email data with attachment information using a common identifier (NetworkMessageId).
  4. Project Relevant Information:

    • It selects specific fields such as the time the email was sent, the sender's address, recipient addresses, email subject, threat types, and the attachment's unique identifier (SHA256).
  5. Join with Device Data:

    • It links the attachment data with device file events using the attachment's unique identifier to see which devices have interacted with the attachment.
  6. Summarize Results:

    • It groups the results by attachment and email identifiers, listing all recipients of the email and all devices that interacted with the attachment.
    • It calculates the total number of recipients and the number of devices that interacted with the attachment.

This query is useful for security investigations to track potentially malicious attachments sent from a compromised account and identify which devices might be at risk due to interaction with those attachments.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

EmailEventsEmailAttachmentInfoDeviceFileEvents

Keywords

AttachmentsMailboxDevicesEmailThreats

Operators

letagowherejoinprojectsummarizemake_setbyextendarray_length

Actions

GitHub