Defender for Office - Email File Attachment File Extensions
MDO Email Attachment File Extensions
Query
EmailEvents
| join EmailAttachmentInfo
on $left. NetworkMessageId == $right.NetworkMessageId
| extend DotCount = countof(FileName,".")
| extend FileExtension = strcat(".", split(FileName,".",DotCount)[0])
| where DeliveryAction != 'Delivered'
| where DotCount > 0
| project FileName, FileExtension, FileType, DotCount, EmailDirection, ThreatTypes
| summarize Out = countif(EmailDirection == 'Outbound'),In = countif(EmailDirection == 'Inbound'), Intra = countif(EmailDirection == 'Intra-org'), Unknown = countif(EmailDirection == 'Unknown') by FileExtension
| sort by FileExtensionAbout this query
Explanation
The queries provided retrieve information about email attachment formats and legacy formats.
The first query provides an overview of email attachment file extensions, including the count of outbound, inbound, intra-org, and unknown email directions for each file extension.
The second query provides details about email attachment file extensions for a specific file extension (specified in the "FileExt" variable). It includes information such as the timestamp, file name, file extension, file type, email direction, threat types, and network message ID.
The third and fourth queries focus on legacy office file formats. They retrieve information about email attachments with file extensions that belong to a predefined list of legacy office formats. The third query provides an overview of the count of outbound, inbound, intra-org, and unknown email directions for each legacy office file extension. The fourth query provides details about the email attachments, including the timestamp, file name, file extension, file type, email direction, threat types, delivery action, delivery location, detection methods, email action, threat names, and network message ID.
The fifth query retrieves details about email attachment file extensions for legacy office formats, specifically for inbound emails. It includes additional information such as the recipient email address, sender information, delivery action, delivery location, detection methods, email action, threat names, and network message ID. It also performs a left outer join with EmailPostDeliveryEvents.
The sixth query provides details about email attachment file extensions for legacy office formats, specifically for inbound emails. It includes additional information such as the recipient email address, sender information, delivery action, delivery location, detection methods, email action, threat names, and network message ID. It also summarizes the count of events by delivery location and renders a pie chart.
The seventh query focuses on file formats blocked by the policy. It retrieves details about email attachment file extensions for a predefined list of legacy office formats. It includes information such as the timestamp, recipient email address, sender information, file name, file extension, file type, email direction, threat types, delivery action, delivery location, detection methods, email action, threat names, and network message ID.
The eighth query retrieves details about legacy office files on SharePoint and OneDrive. It includes information such as the file extension and the count of files for each legacy office file extension.
The ninth query focuses on device file creation events. It retrieves details about files with legacy office file extensions that were created on devices. It includes information such as the timestamp, device name, file name, file extension, folder, initiating process file name, initiating process version info product name, initiating process account UPN, and initiating process account name.
The tenth query is a filtered version of the ninth query, specifically focusing on device file creation events related to office apps. It retrieves details about files with legacy office file extensions that were created on devices by office apps. It includes information such as the timestamp, device name, file name, file extension, folder, initiating process file name, initiating process version info product name, initiating process account UPN, and initiating process account name. It filters out certain processes like "Commvault," "System," "msiexec.exe," and "explorer.exe" and only includes files created by specific office apps (specified in the "officeapps" variable).
Details

Alex Verboon
Released: November 23, 2023
Tables
Keywords
Operators