Query Details

Delivered Emails Identified As Suspicious

Query

let CompromizedEmailAddress = ""; // Insert the email address of the compromised email address
let Timeframe = 2d; // Choose the best timeframe for your investigation
let EmailInformation = EmailEvents
    | where RecipientEmailAddress == CompromizedEmailAddress
    | where Timestamp > ago(Timeframe)
    | where DeliveryAction != "Blocked"
    | project Timestamp, NetworkMessageId, SenderMailFromAddress, SenderFromAddress, SenderDisplayName, ThreatNames;
EmailInformation
    | join (EmailPostDeliveryEvents 
    | where ThreatTypes != ""
    | project Timestamp, NetworkMessageId, Action, ActionType, ActionTrigger, ActionResult, DeliveryLocation, ThreatTypes, DetectionMethods
) on NetworkMessageId
| sort by Timestamp desc

About this query

Delivered emails identified as suspicious

Description

The following query will present email details that have been identified as suspicious after delivery.

References

Microsoft 365 Defender

Versioning

VersionDateComments
1.003/10/2023Initial publish
1.118/10/2023Missing Timestamp

Explanation

This query is designed to identify and display details about emails that have been delivered to a specific email address and later flagged as suspicious. Here's a simplified breakdown of what the query does:

  1. Setup:

    • You need to specify the email address of the compromised account (CompromizedEmailAddress) and the timeframe for the investigation (Timeframe), which is set to 2 days by default.
  2. Filter Delivered Emails:

    • The query looks at emails sent to the specified email address within the given timeframe.
    • It excludes emails that were blocked during delivery.
  3. Project Email Details:

    • It extracts key details from these emails, such as the time they were sent, sender information, and any threat names associated with them.
  4. Identify Suspicious Emails:

    • The query then checks for any post-delivery events where the emails were identified as suspicious (i.e., they have associated threat types).
    • It joins this information with the initial email details using a common identifier (NetworkMessageId).
  5. Output:

    • The result is a list of emails, sorted by the time they were sent, that were delivered to the compromised account and later flagged as suspicious, along with details about the actions taken and the methods used to detect the threats.

This query is useful for investigating potential security breaches in email accounts by identifying emails that were initially delivered but later deemed suspicious.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: October 18, 2023

Tables

EmailEventsEmailPostDeliveryEvents

Keywords

EmailEventsNetworkMessageIdSenderMailFromAddressDisplayNameThreatNamesPostDeliveryTypesActionTypeTriggerResultLocationDetectionMethodsTimestamp

Operators

let==>ago()!=projectjoinonsort bydesc

Actions

GitHub