Adversaries may preview or download emails to exfiltrate sensitive information or gather intelligence on targets. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data theft or reconnaissance activities.
KQL Query
CloudAppEvents
| project Timestamp, ActionType, AccountDisplayName, AR=parse_json(RawEventData)
| evaluate bag_unpack(AR)
| where RecordType == "38" and ExtendedProperties contains "DownloadEMail" or ExtendedProperties contains "GetMailPreviewUrl"
| serialize
| extend RowNumber = row_number()
| mv-expand ExtendedProperties
| evaluate bag_unpack(ExtendedProperties, 'xp_')
| extend DownloadEMail = iff(tostring(xp_Name) == 'DownloadEMail', xp_Value, ''), GetMailPreviewUrl = iff(tostring(xp_Name) == 'GetMailPreviewUrl', xp_Value, ''), MailboxId = iff(tostring(xp_Name) == 'MailboxId', xp_Value, ''), InternetMessageId = iff(tostring(xp_Name) == 'InternetMessageId', xp_Value, '')
| summarize Timestamp = any(Timestamp), ActionType = any(ActionType), AccountDisplayName = any(AccountDisplayName), DownloadEmail = make_set_if(DownloadEMail, isnotempty( DownloadEMail)), GetMailPreviewUrl = make_set_if(GetMailPreviewUrl, isnotempty( GetMailPreviewUrl)), MailboxId = make_set_if(MailboxId, isnotempty( MailboxId)), InternetMessageId = make_set_if(InternetMessageId, isnotempty( InternetMessageId)) by RowNumber
| extend DownloadEmail = tobool(DownloadEmail[0]), GetMailPreviewUrl = tobool(GetMailPreviewUrl[0]), MailboxId = tostring(MailboxId[0]), InternetMessageId = tostring(InternetMessageId[0])
| project-away RowNumber
id: ba1a91ad-1f99-4386-b191-06a76ef213f8
name: Audit Email Preview-Download action
description: |
This query helps report on who Previewed/Downloaded email messages using the Email entity page in Defender for Office 365
description-detailed: |
This query helps report on who Previewed/Downloaded email messages using the Email entity page in Defender for Office 365
Reference - https://learn.microsoft.com/en-us/defender-office-365/mdo-email-entity-page#actions-on-the-email-entity-page
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1078
query: |
CloudAppEvents
| project Timestamp, ActionType, AccountDisplayName, AR=parse_json(RawEventData)
| evaluate bag_unpack(AR)
| where RecordType == "38" and ExtendedProperties contains "DownloadEMail" or ExtendedProperties contains "GetMailPreviewUrl"
| serialize
| extend RowNumber = row_number()
| mv-expand ExtendedProperties
| evaluate bag_unpack(ExtendedProperties, 'xp_')
| extend DownloadEMail = iff(tostring(xp_Name) == 'DownloadEMail', xp_Value, ''), GetMailPreviewUrl = iff(tostring(xp_Name) == 'GetMailPreviewUrl', xp_Value, ''), MailboxId = iff(tostring(xp_Name) == 'MailboxId', xp_Value, ''), InternetMessageId = iff(tostring(xp_Name) == 'InternetMessageId', xp_Value, '')
| summarize Timestamp = any(Timestamp), ActionType = any(ActionType), AccountDisplayName = any(AccountDisplayName), DownloadEmail = make_set_if(DownloadEMail, isnotempty( DownloadEMail)), GetMailPreviewUrl = make_set_if(GetMailPreviewUrl, isnotempty( GetMailPreviewUrl)), MailboxId = make_set_if(MailboxId, isnotempty( MailboxId)), InternetMessageId = make_set_if(InternetMessageId, isnotempty( InternetMessageId)) by RowNumber
| extend DownloadEmail = tobool(DownloadEmail[0]), GetMailPreviewUrl = tobool(GetMailPreviewUrl[0]), MailboxId = tostring(MailboxId[0]), InternetMessageId = tostring(InternetMessageId[0])
| project-away RowNumber
version: 1.0.0| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Email Preview by Admin During User Activity Review
Description: An administrator previews an email message to investigate user activity or compliance issues.
Filter/Exclusion: Exclude events where the user is an admin or has the “View Audit Logs” permission.
Example Filter: user_principal_name contains "[email protected]" or user_principal_name contains "[email protected]"
Scenario: Scheduled Email Archiving Job
Description: A scheduled job runs to archive emails, which may trigger the preview/download action as part of the process.
Filter/Exclusion: Exclude events where the action is associated with a known archiving or backup job.
Example Filter: activity | where activity ~ "Archive" or activity ~ "Backup"
Scenario: Email Preview by Security Analyst During Threat Hunting
Description: A security analyst previews emails to investigate potential threats or suspicious activity.
Filter/Exclusion: Exclude events where the user is a security analyst or has a specific role like “Security Administrator”.
Example Filter: user_principal_name contains "[email protected]" or user_principal_name contains "[email protected]"
Scenario: Email Preview via PowerShell or Exchange Online PowerShell
Description: An administrator uses PowerShell to preview emails as part of routine management or troubleshooting.
Filter/Exclusion: Exclude events where the action is initiated via PowerShell or Exchange Online PowerShell.
Example Filter: client_app_name contains "ExchangeOnlinePowerShell" or client_app_name contains "PowerShell"
Scenario: Email Preview During Migration or Data Transfer
Description: Emails are previewed during migration processes or data transfer between systems.
Filter/Exclusion: Exclude events where the action is associated with a migration tool like Microsoft 365 Migration Manager