MDO Hunting - Confirmed Malware Attachments
MDO 03 Confirmed Malware Attachments
Query
EmailAttachmentInfo
| where Timestamp > ago(7d)
| where ThreatTypes has "Malware"
| project Timestamp, NetworkMessageId, SenderFromAddress, RecipientEmailAddress,
FileName, FileType, SHA256, ThreatNames, DetectionMethods, FileSize
| sort by Timestamp descExplanation
This query is designed to identify email attachments that have been confirmed as malware. Here's a simple breakdown:
-
Purpose: The query lists email attachments flagged with a malware verdict. It uses the SHA256 hash of each file as a key to further investigate if the file was executed on any devices.
-
Data Source: It pulls data from the MicrosoftThreatProtection connector, specifically focusing on
EmailAttachmentInfo. -
Time Frame: The query looks at data from the past 7 days.
-
Filtering Criteria: It filters for attachments that have been identified as containing "Malware".
-
Output: The query outputs details such as the timestamp, message ID, sender and recipient email addresses, file name and type, SHA256 hash, threat names, detection methods, and file size.
-
Use Case: This information helps bridge the gap between email (MDO - Microsoft Defender for Office) and endpoint (MDE - Microsoft Defender for Endpoint) security by allowing security analysts to trace whether the malicious attachment was executed on any devices.
-
Security Focus: It targets the "Initial Access" tactic, specifically the technique T1566, which involves phishing.
-
Version: The query is at version 1.0.0.
Details

David Alonso
Released: July 17, 2026
Tables
Keywords
Operators
Tactics
MITRE Techniques