MDO Hunting - Dangerous File Types Delivered
MDO 04 Dangerous File Types Delivered
Query
let RiskyTypes = dynamic(["exe","scr","js","vbs","ps1","lnk","iso","img","hta","cmd","bat","wsf","jar","one"]);
EmailAttachmentInfo
| where Timestamp > ago(7d)
| where FileType in~ (RiskyTypes)
or FileName has_any (".exe",".scr",".js",".lnk",".iso",".img",".hta",".one",".vbs")
| join kind=inner (
EmailEvents
| where DeliveryAction == "Delivered"
| project NetworkMessageId, DeliveryLocation, Subject, EmailDirection
) on NetworkMessageId
| project Timestamp, SenderFromAddress, RecipientEmailAddress, FileName, FileType,
Subject, DeliveryLocation, EmailDirection, SHA256
| sort by Timestamp descExplanation
This query is designed to detect potentially dangerous email attachments that have been delivered to mailboxes without being flagged as threats. It focuses on identifying high-risk file types that are often used to evade security measures, such as executable files and container formats like ISO and IMG.
Here's a simplified breakdown of the query:
-
Risky File Types: It defines a list of file types considered risky, including extensions like
.exe,.scr,.js,.vbs, and others. -
Data Source: It uses data from Microsoft Threat Protection, specifically looking at email attachment information and email events.
-
Time Frame: The query examines emails from the past 7 days.
-
File Type Check: It filters for emails with attachments that match the risky file types or have filenames with specific extensions.
-
Email Delivery: It checks if these emails were actually delivered to the mailbox.
-
Output: The query outputs details such as the timestamp, sender and recipient email addresses, file name and type, email subject, delivery location, email direction, and the SHA256 hash of the attachment.
-
Sorting: The results are sorted by the timestamp in descending order, showing the most recent emails first.
The purpose of this query is to catch potentially malicious files that have bypassed initial threat detection, allowing security teams to investigate further. It also suggests looking out for suspicious filenames and double extensions, which are common tactics used in phishing and malware delivery.
Details

David Alonso
Released: July 17, 2026
Tables
Keywords
Operators
Tactics