Query Details

MDO Hunting - Confirmed Malware Attachments

MDO 03 Confirmed Malware Attachments

Query

EmailAttachmentInfo
| where Timestamp > ago(7d)
| where ThreatTypes has "Malware"
| project Timestamp, NetworkMessageId, SenderFromAddress, RecipientEmailAddress,
          FileName, FileType, SHA256, ThreatNames, DetectionMethods, FileSize
| sort by Timestamp desc

Explanation

This query is designed to identify email attachments that have been confirmed as malware. Here's a simple breakdown:

  • Purpose: The query lists email attachments flagged with a malware verdict. It uses the SHA256 hash of each file as a key to further investigate if the file was executed on any devices.

  • Data Source: It pulls data from the MicrosoftThreatProtection connector, specifically focusing on EmailAttachmentInfo.

  • Time Frame: The query looks at data from the past 7 days.

  • Filtering Criteria: It filters for attachments that have been identified as containing "Malware".

  • Output: The query outputs details such as the timestamp, message ID, sender and recipient email addresses, file name and type, SHA256 hash, threat names, detection methods, and file size.

  • Use Case: This information helps bridge the gap between email (MDO - Microsoft Defender for Office) and endpoint (MDE - Microsoft Defender for Endpoint) security by allowing security analysts to trace whether the malicious attachment was executed on any devices.

  • Security Focus: It targets the "Initial Access" tactic, specifically the technique T1566, which involves phishing.

  • Version: The query is at version 1.0.0.

Details

David Alonso profile picture

David Alonso

Released: July 17, 2026

Tables

EmailAttachmentInfo

Keywords

EmailAttachmentInfoTimestampNetworkMessageIdSenderFromAddressRecipientEmailAddressFileNameFileTypeSHA256ThreatNamesDetectionMethodsFileSize

Operators

wherehasprojectsort bydescago

Tactics

InitialAccess

MITRE Techniques

Actions

GitHub