MDE MD365 Email Attachments Send From Compromised Mailbox

# Find all attachments that have been send from a compromised mailbox and which devices have opened that attachment. ---- ### Defender For Endpoint ``` let CompromisedMailbox = "[email protected]"; let SearchWindow = 48h; //Customizable h = hours, d = days EmailEvents | where Timestamp > ago(SearchWindow) | where SenderFromAddress == CompromisedMailbox | where AttachmentCount > 0 | join kind=leftouter EmailAttachmentInfo on NetworkMessageId | project Timestamp, NetworkMessageId, SenderFromAddress, RecipientEmailAddress, Subject, ThreatTypes, SHA256 | join kind=leftouter DeviceFileEvents on SHA256 | summarize EmailReciepients = make_set(RecipientEmailAddress), Subject= make_set(Subject), FileOnDevices = make_set(DeviceName) by SHA256, NetworkMessageId | extend TotalReciepients = array_length(EmailReciepients), DeviceWithFileInteraction = array_length(FileOnDevices) ``` ### Sentinel ``` let CompromisedMailbox = "[email protected]"; let SearchWindow = 48h; //Customizable h = hours, d = days EmailEvents | where TimeGenerated > ago(SearchWindow) | where SenderFromAddress == CompromisedMailbox | where AttachmentCount > 0 | join kind=leftouter EmailAttachmentInfo on NetworkMessageId | project TimeGenerated, NetworkMessageId, SenderFromAddress, RecipientEmailAddress, Subject, ThreatTypes, SHA256 | join kind=leftouter DeviceFileEvents on SHA256 | summarize EmailReciepients = make_set(RecipientEmailAddress), Subject= make_set(Subject), FileOnDevices = make_set(DeviceName) by SHA256, NetworkMessageId | extend TotalReciepients = array_length(EmailReciepients), DeviceWithFileInteraction = array_length(FileOnDevices) ```

Explanation

The query is searching for attachments that have been sent from a compromised mailbox and determining which devices have opened those attachments. It retrieves information such as the timestamp, network message ID, sender, recipient, subject, threat types, and SHA256 hash of the attachments. It then joins this information with device file events to identify the devices that interacted with the attachments. Finally, it summarizes the data by SHA256 and network message ID, and calculates the total number of recipients and the number of devices with file interaction.

Details

Bert-Jan Pals

Released: May 10, 2023

Tables

EmailEventsEmailAttachmentInfoDeviceFileEvents

Keywords

Attachments,CompromisedMailbox,Devices,EmailEvents,EmailAttachmentInfo,NetworkMessageId,SenderFromAddress,RecipientEmailAddress,Subject,ThreatTypes,SHA256,DeviceFileEvents,EmailReciepients,FileOnDevices,TotalReciepients,DeviceWithFileInteraction,TimeGenerated

Operators

wherejoinprojectsummarizemake_setbyextendago

KQL Search