Find all attachments that have been send from a compromised mailbox and which devices have opened that attachment.
MDE MD365 Email Attachments Send From Compromised Mailbox
Query
let CompromisedMailbox = "[email protected]";
let SearchWindow = 48h; //Customizable h = hours, d = days
EmailEvents
| where TimeGenerated > ago(SearchWindow)
| where SenderFromAddress == CompromisedMailbox
| where AttachmentCount > 0
| join kind=leftouter EmailAttachmentInfo on NetworkMessageId
| project
TimeGenerated,
NetworkMessageId,
SenderFromAddress,
RecipientEmailAddress,
Subject,
ThreatTypes,
SHA256
| join kind=leftouter DeviceFileEvents on SHA256
| summarize
EmailReciepients = make_set(RecipientEmailAddress),
Subject= make_set(Subject),
FileOnDevices = make_set(DeviceName)
by SHA256, NetworkMessageId
| extend
TotalReciepients = array_length(EmailReciepients),
DeviceWithFileInteraction = array_length(FileOnDevices)About this query
Find all attachments that have been send from a compromised mailbox and which devices have opened that attachment.
Defender XDR
let CompromisedMailbox = "[email protected]";
let SearchWindow = 48h; //Customizable h = hours, d = days
EmailEvents
| where Timestamp > ago(SearchWindow)
| where SenderFromAddress == CompromisedMailbox
| where AttachmentCount > 0
| join kind=leftouter EmailAttachmentInfo on NetworkMessageId
| project
Timestamp,
NetworkMessageId,
SenderFromAddress,
RecipientEmailAddress,
Subject,
ThreatTypes,
SHA256
| join kind=leftouter DeviceFileEvents on SHA256
| summarize
EmailReciepients = make_set(RecipientEmailAddress),
Subject= make_set(Subject),
FileOnDevices = make_set(DeviceName)
by SHA256, NetworkMessageId
| extend
TotalReciepients = array_length(EmailReciepients),
DeviceWithFileInteraction = array_length(FileOnDevices)
Sentinel
Explanation
This query is designed to identify and analyze email attachments sent from a compromised email account and determine which devices have interacted with those attachments. Here's a simplified breakdown of what the query does:
-
Define Parameters:
- It specifies a compromised email address (
[email protected]) and a time window of 48 hours to search within.
- It specifies a compromised email address (
-
Filter Emails:
- It searches for emails sent from the compromised email address within the last 48 hours.
- It filters for emails that have attachments.
-
Join Email and Attachment Data:
- It combines email data with attachment information using a common identifier (
NetworkMessageId).
- It combines email data with attachment information using a common identifier (
-
Project Relevant Information:
- It selects specific fields such as the time the email was sent, the sender's address, recipient addresses, email subject, threat types, and the attachment's unique identifier (
SHA256).
- It selects specific fields such as the time the email was sent, the sender's address, recipient addresses, email subject, threat types, and the attachment's unique identifier (
-
Join with Device Data:
- It links the attachment data with device file events using the attachment's unique identifier to see which devices have interacted with the attachment.
-
Summarize Results:
- It groups the results by attachment and email identifiers, listing all recipients of the email and all devices that interacted with the attachment.
- It calculates the total number of recipients and the number of devices that interacted with the attachment.
This query is useful for security investigations to track potentially malicious attachments sent from a compromised account and identify which devices might be at risk due to interaction with those attachments.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
EmailEventsEmailAttachmentInfoDeviceFileEvents
Keywords
AttachmentsMailboxDevicesEmailThreats
Operators
letagowherejoinprojectsummarizemake_setbyextendarray_length