Adversaries may use post delivery events to exfiltrate data or maintain persistence by leveraging zero-hour auto purge actions. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or persistence mechanisms tied to email-based threats.
KQL Query
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
let baseQuery = EmailPostDeliveryEvents
| where Timestamp >= TimeStart
| where ActionType has "ZAP";
let szap=baseQuery
| where ActionType has 'Spam ZAP'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Spam ZAP";
let pzap=baseQuery
| where ActionType has 'Phish ZAP'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Phish ZAP";
let mzap=baseQuery
| where ActionType has 'Malware ZAP'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Malware ZAP";
union szap,pzap,mzap
| project Count, Details, Timestamp
| render timechart
id: c0efc072-fce7-46c2-83a1-51e8a9e6a1e1
name: Post Delivery Events by ZAP type
description: |
This query visualises the daily amount of emails that had a post delivery action from zero-hour auto purge, summarizing by phish,spam or malware detection action
description-detailed: |
This query visualises the daily amount of emails that had a post delivery action from zero-hour auto purge, summarizing by phish,spam or malware detection action in Defender for Office 365
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailPostDeliveryEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
let baseQuery = EmailPostDeliveryEvents
| where Timestamp >= TimeStart
| where ActionType has "ZAP";
let szap=baseQuery
| where ActionType has 'Spam ZAP'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Spam ZAP";
let pzap=baseQuery
| where ActionType has 'Phish ZAP'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Phish ZAP";
let mzap=baseQuery
| where ActionType has 'Malware ZAP'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Malware ZAP";
union szap,pzap,mzap
| project Count, Details, Timestamp
| render timechart
version: 1.0.0
Scenario: Scheduled Auto Purge Job Execution
Description: The zero-hour auto purge job runs daily and processes emails that were flagged as spam or malware, which can trigger the post delivery action.
Filter/Exclusion: event_type: "auto_purge" OR job_name: "zero_hour_auto_purge"
Scenario: Email Archiving Process
Description: An email archiving tool like Microsoft Exchange Archiving or Mimecast may move emails to an archive, which is logged as a post-delivery action.
Filter/Exclusion: tool_name: "Exchange Archiving" OR tool_name: "Mimecast" OR action_type: "archive"
Scenario: Admin Task: Email Cleanup
Description: An administrator manually deletes or moves emails from the inbox to a different folder using tools like Microsoft Outlook or Gmail Admin Console, which can be logged as post-delivery events.
Filter/Exclusion: user_role: "admin" OR user_action: "manual_delete" OR user_action: "move_to_archive"
Scenario: Email Retention Policy Enforcement
Description: A retention policy in Microsoft 365 or Google Workspace automatically moves or deletes emails based on retention rules, which can be mistaken for post-delivery actions.
Filter/Exclusion: policy_type: "retention_policy" OR policy_name: "retention_rule_01"
Scenario: Email Migration or Backup Jobs
Description: Scheduled jobs like Microsoft Exchange Migration Wizard or Veeam Backup may move emails between systems, which can be logged as post-delivery events.
Filter/Exclusion: `job_name: “Exchange_Migration” OR job_name: “Veeam_Backup” OR action