MDO Hunting - ZAP Gaps - Threats Detected After Delivery
MDO 10 ZAP Gaps Post Delivery Threats
Query
EmailPostDeliveryEvents
| where Timestamp > ago(7d)
| where Action has "ZAP" or ActionType has "ZAP"
| project Timestamp, NetworkMessageId, RecipientEmailAddress, Action, ActionType,
ActionTrigger, ActionResult, DeliveryLocation, ThreatTypes
| sort by Timestamp descExplanation
This query is designed to identify emails that were delivered but later flagged by Zero-hour Auto Purge (ZAP) as threats. It focuses on emails that ZAP could not successfully remove, highlighting potential ongoing risks. Here's a simple breakdown:
-
Purpose: To find emails that were delivered and later identified as threats by ZAP, specifically those that ZAP failed to remove.
-
Data Source: It uses data from the
EmailPostDeliveryEventstable, which records events related to emails after they have been delivered. -
Time Frame: The query looks at events from the past 7 days.
-
Key Actions: It filters for actions related to ZAP, either in the
ActionorActionTypefields. -
Output: The query projects specific fields such as the timestamp, message ID, recipient's email, action details, delivery location, and threat types.
-
Sorting: Results are sorted by the timestamp in descending order, showing the most recent events first.
-
Focus: The main focus is on entries where the
ActionResultis not "Success," indicating that the malicious email was not successfully removed and may still pose a risk.
This query helps security teams identify and address potential threats that have bypassed initial defenses and remain in users' mailboxes.
Details

David Alonso
Released: July 17, 2026
Tables
Keywords
Operators
Tactics
MITRE Techniques