Queries for the EmailAttachmentInfo table
Files from malicious sender
Finds the first appearance of files sent by a malicious sender in your organization at selected time frame. To see earlier appearances please increase selected time range.
let MaliciousSender = "<insert the sender email address>";
EmailAttachmentInfo
| where SenderFromAddress =~ MaliciousSender
| project SHA256 = tolower(SHA256)
| join (
DeviceFileEvents
) on SHA256
| summarize FirstAppearance = min(Timestamp) by DeviceName, SHA256, FileName
| take 100
Emails to external domains with attachments
Emails sent to an external domain that include attachments.
EmailEvents
| where EmailDirection == "Outbound" and AttachmentCount > 0
| join EmailAttachmentInfo on NetworkMessageId
| project Timestamp, Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId, FileName, AttachmentCount
| take 1000
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for