Query Details
Delivered Emails Identified As Suspicious
Query
# Delivered emails identified as suspicious
## Description
The following query will present email details that have been identified as suspicious after delivery.
### References
- https://www.michalos.net/2023/10/03/investigating-initial-access-in-compromised-email-accounts-using-microsoft-365-defender/
### Microsoft 365 Defender
```
let CompromizedEmailAddress = ""; // Insert the email address of the compromised email address
let Timeframe = 2d; // Choose the best timeframe for your investigation
let EmailInformation = EmailEvents
| where RecipientEmailAddress == CompromizedEmailAddress
| where DeliveryAction != "Blocked"
| project Timestamp, NetworkMessageId, SenderMailFromAddress, SenderFromAddress, SenderDisplayName, ThreatNames;
EmailInformation
| join (EmailPostDeliveryEvents
| where ThreatTypes != ""
| project Timestamp, NetworkMessageId, Action, ActionType, ActionTrigger, ActionResult, DeliveryLocation, ThreatTypes, DetectionMethods
) on NetworkMessageId
| sort by Timestamp desc
```
### Versioning
| Version | Date | Comments |
| ------------- |---------------| ---------------------------------------|
| 1.0 | 03/10/2023 | Initial publish |
Explanation
This query retrieves details of delivered emails that have been identified as suspicious. It filters the email events based on the recipient's email address and excludes blocked emails. The query then joins the filtered email events with post-delivery events that have threat types specified. The results are sorted by timestamp in descending order.
Details
Michalis Michalos
Released: October 3, 2023
Tables
EmailEventsEmailPostDeliveryEvents
Keywords
EmailEvents,EmailPostDeliveryEvents
Operators
|let=//choosethebestforyourinvestigationwhere!=projectjoinonsortby