Query Details

MDO Hunting - ZAP Gaps - Threats Detected After Delivery

MDO 10 ZAP Gaps Post Delivery Threats

Query

EmailPostDeliveryEvents
| where Timestamp > ago(7d)
| where Action has "ZAP" or ActionType has "ZAP"
| project Timestamp, NetworkMessageId, RecipientEmailAddress, Action, ActionType,
          ActionTrigger, ActionResult, DeliveryLocation, ThreatTypes
| sort by Timestamp desc

Explanation

This query is designed to identify emails that were delivered but later flagged by Zero-hour Auto Purge (ZAP) as threats. It focuses on emails that ZAP could not successfully remove, highlighting potential ongoing risks. Here's a simple breakdown:

  1. Purpose: To find emails that were delivered and later identified as threats by ZAP, specifically those that ZAP failed to remove.

  2. Data Source: It uses data from the EmailPostDeliveryEvents table, which records events related to emails after they have been delivered.

  3. Time Frame: The query looks at events from the past 7 days.

  4. Key Actions: It filters for actions related to ZAP, either in the Action or ActionType fields.

  5. Output: The query projects specific fields such as the timestamp, message ID, recipient's email, action details, delivery location, and threat types.

  6. Sorting: Results are sorted by the timestamp in descending order, showing the most recent events first.

  7. Focus: The main focus is on entries where the ActionResult is not "Success," indicating that the malicious email was not successfully removed and may still pose a risk.

This query helps security teams identify and address potential threats that have bypassed initial defenses and remain in users' mailboxes.

Details

David Alonso profile picture

David Alonso

Released: July 17, 2026

Tables

EmailPostDeliveryEvents

Keywords

EmailPostDeliveryEventsTimestampNetworkMessageIdRecipientEmailAddressActionActionTypeActionTriggerActionResultDeliveryLocationThreatTypes

Operators

wherehasorprojectsort bydesc

Tactics

InitialAccess

MITRE Techniques

Actions

GitHub