Delivered Emails Identified As Suspicious
Query
let CompromizedEmailAddress = ""; // Insert the email address of the compromised email address
let Timeframe = 2d; // Choose the best timeframe for your investigation
let EmailInformation = EmailEvents
| where RecipientEmailAddress == CompromizedEmailAddress
| where Timestamp > ago(Timeframe)
| where DeliveryAction != "Blocked"
| project Timestamp, NetworkMessageId, SenderMailFromAddress, SenderFromAddress, SenderDisplayName, ThreatNames;
EmailInformation
| join (EmailPostDeliveryEvents
| where ThreatTypes != ""
| project Timestamp, NetworkMessageId, Action, ActionType, ActionTrigger, ActionResult, DeliveryLocation, ThreatTypes, DetectionMethods
) on NetworkMessageId
| sort by Timestamp descAbout this query
Delivered emails identified as suspicious
Description
The following query will present email details that have been identified as suspicious after delivery.
References
Microsoft 365 Defender
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 03/10/2023 | Initial publish |
| 1.1 | 18/10/2023 | Missing Timestamp |
Explanation
This query is designed to identify and display details about emails that have been delivered to a specific email address and later flagged as suspicious. Here's a simplified breakdown of what the query does:
-
Setup:
- You need to specify the email address of the compromised account (
CompromizedEmailAddress) and the timeframe for the investigation (Timeframe), which is set to 2 days by default.
- You need to specify the email address of the compromised account (
-
Filter Delivered Emails:
- The query looks at emails sent to the specified email address within the given timeframe.
- It excludes emails that were blocked during delivery.
-
Project Email Details:
- It extracts key details from these emails, such as the time they were sent, sender information, and any threat names associated with them.
-
Identify Suspicious Emails:
- The query then checks for any post-delivery events where the emails were identified as suspicious (i.e., they have associated threat types).
- It joins this information with the initial email details using a common identifier (
NetworkMessageId).
-
Output:
- The result is a list of emails, sorted by the time they were sent, that were delivered to the compromised account and later flagged as suspicious, along with details about the actions taken and the methods used to detect the threats.
This query is useful for investigating potential security breaches in email accounts by identifying emails that were initially delivered but later deemed suspicious.
Details

Michalis Michalos
Released: October 18, 2023
Tables
EmailEventsEmailPostDeliveryEvents
Keywords
EmailEventsNetworkMessageIdSenderMailFromAddressDisplayNameThreatNamesPostDeliveryTypesActionTypeTriggerResultLocationDetectionMethodsTimestamp
Operators
let==>ago()!=projectjoinonsort bydesc