Query Details
Detect Potential Malicious Emails Based On Internet Message Id Dates
Query
**Detect Potential Malicious Emails Based on InternetMessageId Dates** #### MITRE ATT&CK Technique(s) | Technique ID | Title | | --- | --- | | T1566.002 | Phishing: Spearphishing Link| | Author | Sergio Albea (19/04/2026) | | --- | --- | **Description:** The are some cases where InternetMessageIds contain a date integrated, sometimes encoded, sometimes not. Therefore, we have two timestamps to compare: - InternetMessageId date → usually when the sending system generated the message. - Timestamp (EmailEvents) → when Microsoft received/processed the email. So if we compare “when it was created” vs “when it arrived”, we can detect cases such as emails created by the system but, due to local configuration, email campaigns that deliver slowly, or messages that were postponed compared to when they were received by Microsoft. The ratio of true positive was really high and multiple emails were not detected as a Threat so good case to add as a detection ``` //Sergio Albea 19-04-2026 ©️ EmailEvents | extend Timestamp_YYYYMMDD = format_datetime(Timestamp, "yyyyMMdd") | extend Timestamp_IM = format_datetime(Timestamp, "yyyyMM") | extend IMF = tostring(InternetMessageId) | where IMF contains Timestamp_IM | extend StartPos = indexof(IMF, Timestamp_IM) | extend Extracted_IMF_Date = iff(StartPos >= 0 and strlen(IMF) >= StartPos + 8, substring(IMF, StartPos, 8), "") | extend Extracted_IMF_Date_dt = todatetime(strcat(substring(Extracted_IMF_Date,0,4), "-", substring(Extracted_IMF_Date,4,2), "-", substring(Extracted_IMF_Date,6,2))) | where Timestamp > Extracted_IMF_Date_dt | extend case1 = iff(IMF contains Timestamp_YYYYMMDD, "valid", "other") | join kind=inner EmailUrlInfo on NetworkMessageId // comment the line below if you want to see all InternetMessageId with date populated and the cases detected as Threat | where case1 has 'other' and isempty(ThreatTypes) | summarize make_set(Url), make_set(SenderFromDomain) by case1, Timestamp_YYYYMMDD, Timestamp_IM, Extracted_IMF_Date, IMF, InternetMessageId, ThreatTypes, Subject,SenderIP=iff(isnotempty(SenderIPv4),SenderIPv4,SenderIPv6), ReportId ```
Explanation
This query is designed to detect potentially malicious emails by analyzing discrepancies between the creation date embedded in the email's InternetMessageId and the date Microsoft received or processed the email. Here's a simplified breakdown of what the query does:
-
Extract Dates: It extracts the date from the email's InternetMessageId and the date when Microsoft processed the email.
-
Compare Dates: It compares these two dates to identify emails where there is a significant delay between when the email was supposedly created and when it was received by Microsoft. Such delays might indicate suspicious activity, like delayed email delivery due to local configurations or postponed email campaigns.
-
Filter and Join: The query filters out emails where the InternetMessageId contains a full date that matches the processing date and joins this data with additional email URL information.
-
Identify Potential Threats: It specifically looks for cases where the InternetMessageId does not match the processing date and where no known threats have been identified, suggesting these emails might have been overlooked as potential threats.
-
Summarize Results: Finally, it summarizes the results by grouping emails based on various attributes like the sender's domain, the subject, and the sender's IP address, providing a set of URLs associated with each case.
Overall, this query helps identify emails that might be suspicious due to unusual delays in their delivery, which could be indicative of phishing attempts or other malicious activities.
Details
Sergio Albea
Released: April 22, 2026
Tables
Keywords
Operators