Query Details
ZAP Email Click Detection
Query
//This query detects user clicks on emails before they were zapped by MDO
//Shows time between click and ZAP action for spam/phish emails
EmailPostDeliveryEvents
| where Timestamp >= ago(1h)
| where ActionType has_any ("Phish ZAP", "Spam ZAP")
| join kind=inner UrlClickEvents on NetworkMessageId
| project ClickTime= Timestamp1, ZapTime= Timestamp, ClickHappenedBeforeZapTime=datetime_diff('minute', Timestamp1, Timestamp), RecipientEmailAddress,
Reporter= iff((ActionResult in ("UserTriaged")),"Användaren", "Microsoft"), Url Explanation
This query is designed to identify instances where users clicked on email links before those emails were automatically removed (or "zapped") by Microsoft's Defender for Office (MDO) due to being identified as phishing or spam. It focuses on emails that have been processed within the last hour. Here's a breakdown of what the query does:
-
Data Source: It uses two tables:
EmailPostDeliveryEventsandUrlClickEvents. -
Time Filter: It looks at events that occurred in the last hour.
-
Action Type Filter: It specifically targets emails that were subject to "Phish ZAP" or "Spam ZAP" actions.
-
Join Operation: It combines data from both tables based on a common identifier (
NetworkMessageId). -
Projection: It extracts and renames specific fields for analysis:
ClickTime: The time when the user clicked the email link.ZapTime: The time when the email was zapped.ClickHappenedBeforeZapTime: The time difference in minutes between the click and the zap.RecipientEmailAddress: The email address of the recipient.Reporter: Identifies whether the action was user-initiated ("Användaren" for user triaged) or by Microsoft.
-
Output: The query results show the time difference between when a user clicked a link and when the email was zapped, along with relevant details about the recipient and the nature of the action.
Details
Viktor Utter
Released: November 10, 2024
Tables
Keywords
Operators