MDO Hunting - Malicious Email Delivered to Inbox (Block Failure)
MDO 01 Malicious Email Delivered To Inbox
Query
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has_any ("Phish", "Malware")
| where DeliveryAction == "Delivered"
| where DeliveryLocation in ("Inbox/folder", "Inbox")
| project Timestamp, NetworkMessageId, SenderFromAddress, RecipientEmailAddress,
Subject, ThreatTypes, ThreatNames, DetectionMethods,
DeliveryLocation, LatestDeliveryLocation
| sort by Timestamp descExplanation
This query is designed to identify emails that were flagged as phishing or containing malware but were still delivered to a user's inbox, which poses a high risk. It focuses on emails processed by Microsoft Defender for Office 365 over the past seven days. The query filters for emails with a "Phish" or "Malware" threat type that were delivered to the inbox, and it retrieves details such as the timestamp, sender, recipient, subject, threat types, and delivery locations. The results are sorted by the most recent timestamp. This helps in assessing the effectiveness of Microsoft Defender for Office 365 and prioritizing actions like manual purging or verifying if the email was later removed by Zero-hour Auto Purge (ZAP).
Details

David Alonso
Released: July 17, 2026
Tables
Keywords
Operators
Tactics
MITRE Techniques