Malicious email delivered in Microsoft 365
Malicious Email Delivered In Mailbox
Query
CloudAppEvents
| where ActionType == "TIMailData-Inline"
| extend Classification = parse_json(RawEventData).['Verdict']
| extend ClassificationReason = parse_json(RawEventData).['ThreatsAndDetectionTech']
| extend ConfidentialityLevel = parse_json(RawEventData).['PhishConfidenceLevel']
| extend InvestigationLink = parse_json(RawEventData).['EventDeepLink'],
NetworkMessageId = tostring(parse_json(RawEventData).NetworkMessageId)
| join kind=leftouter (EmailEvents | project NetworkMessageId, SenderFromAddress, RecipientEmailAddress, Subject) on $left.NetworkMessageId == $right.NetworkMessageId
| project-reorder
Timestamp,
Classification,
ClassificationReason,
ConfidentialityLevel,
SenderFromAddress,
Subject,
RecipientEmailAddress,
InvestigationLinkAbout this query
Malicious email delivered in Microsoft 365
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1566 | Phishing | https://attack.mitre.org/techniques/T1566/ |
Description
This query lists all the emails that have been classified as malicious based on Threat Intelligence on the mailbox.
Defender XDR
Sentinel
CloudAppEvents
| where ActionType == "TIMailData-Inline"
| extend Classification = parse_json(RawEventData).['Verdict']
| extend ClassificationReason = parse_json(RawEventData).['ThreatsAndDetectionTech']
| extend ConfidentialityLevel = parse_json(RawEventData).['PhishConfidenceLevel']
| extend InvestigationLink = parse_json(RawEventData).['EventDeepLink'],
NetworkMessageId = tostring(parse_json(RawEventData).NetworkMessageId)
| join kind=leftouter (EmailEvents | project NetworkMessageId, SenderFromAddress, RecipientEmailAddress, Subject) on $left.NetworkMessageId == $right.NetworkMessageId
| project-reorder
Timestamp,
Classification,
ClassificationReason,
ConfidentialityLevel,
SenderFromAddress,
Subject,
RecipientEmailAddress,
InvestigationLink
Explanation
This query is designed to identify and list emails in Microsoft 365 that have been classified as malicious based on threat intelligence. It focuses on emails that are potentially phishing attempts, aligning with the MITRE ATT&CK technique T1566 for phishing.
Here's a simplified breakdown of what the query does:
-
Data Source: The query pulls data from
CloudAppEvents, specifically looking for events where the action type is "TIMailData-Inline". This indicates that the event is related to email data processed inline. -
Extract Information: It extracts several pieces of information from the raw event data:
- Classification: The verdict on whether the email is malicious.
- ClassificationReason: The reasons or techniques used to detect the threat.
- ConfidentialityLevel: The confidence level regarding the phishing nature of the email.
- InvestigationLink: A link to further investigate the event.
- NetworkMessageId: A unique identifier for the email message.
-
Join with Email Events: The query joins this data with
EmailEventsto gather additional details about the email, such as:- SenderFromAddress: The email address of the sender.
- RecipientEmailAddress: The email address of the recipient.
- Subject: The subject line of the email.
-
Output: Finally, it organizes the output to display the timestamp, classification details, sender and recipient information, email subject, and a link for further investigation.
This query is useful for security analysts to quickly identify and investigate potentially harmful emails that have been delivered within an organization, helping to mitigate phishing attacks.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators
MITRE Techniques