Query Details

Review recently received emails with attachments

Recently Received Emails With Attachments

Query

let CompromizedEmailAddress = ""; // Insert the email address of the compromised email address
let Timeframe = 2d; // Choose the best timeframe for your investigation
let EmailInformation = EmailEvents
    | where RecipientEmailAddress == CompromizedEmailAddress
    | where Timestamp > ago(Timeframe)
    | where DeliveryAction != "Blocked"
    | where AttachmentCount != "0"
    | project Timestamp, NetworkMessageId, SenderMailFromAddress, SenderFromAddress, SenderDisplayName, ThreatNames;
EmailInformation
    | join (EmailAttachmentInfo
    | project NetworkMessageId, FileName, FileType, FileSize
) on NetworkMessageId
| sort by Timestamp desc

About this query

Review recently received emails with attachments

Description

The following query will list all emails received on the Timeframe specified that haven’t been blocked and have an attachment. This could help get an overview of the email attachments recently received that might rise suspicions.

References

Microsoft 365 Defender

Versioning

VersionDateComments
1.003/10/2023Initial publish

Explanation

This query retrieves a list of recently received emails with attachments that have not been blocked. It can be used to identify suspicious email attachments.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: October 3, 2023

Tables

EmailEventsEmailAttachmentInfo

Keywords

EmailEventsRecipientEmailAddressTimestampagoDeliveryActionBlockedAttachmentCountprojectNetworkMessageIdSenderMailFromAddressSenderFromAddressSenderDisplayNameThreatNamesjoinEmailAttachmentInfoFileNameFileTypeFileSizesort

Operators

wherelet|==>ago!=projectjoinonsort by

Actions

GitHub