Advanced Hunting: Surfacing more email data from Microsoft Defender for Office 365

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

As part of this update, we have added new columns that enable more relevant and effective investigations. These additions to the EmailEvents, EmailAttachmentInfo, and EmailPostDeliveryEvents tables are currently available in public preview.

We've made the following updates to these tables:


  • AuthenticationDetails (EmailEvents table) – This column includes detailed information about the different authentication checks that have been applied or analyzed like SPF, DKIM, DMARC, and CompAuth methods. While SPF, DKIM, and DMARC are the industry standard checks, composite authentication or compAuth is a value used to indicate that a combination of different email authentication checks, like SPF, DKIM, and DMARC, were used to determine if the message is authentic. It uses the  domain in the From field of the email as basis for the evaluation.

Note: In some cases, a record will not show all the values in this column. This can occur if a partial check was needed to return a verdict for the email.

  • Filesize (EmailAttachmentInfo table) – This column provides the size of an email attachment in bytes.
  • ThreatTypes and details (EmailPostDeliveryEvents table) – Before the update, the EmailPostDeliveryEvents table already contained information about all actions attempted on an email after delivery, including ZAP and manual remediation actions. In addition to the action metadata, we've added details about threats and detection methods (when applicable) as separate columns within the table. This is useful for hunting scenarios involving delayed weaponization or updated verdicts. For these cases, look to join the events with the EmailEvents table to get a more comprehensive view.

Here are few examples which make use of these fields:


// Check for spoofing attempts on the domain with SPF fails EmailEvents |where Timestamp > ago (1d) and DetectionMethods contains "spoof" and SenderFromDomain has "" | project Timestamp, AR=parse_json(AuthenticationDetails) , NetworkMessageId, EmailDirection, Subject, SenderFromAddress, SenderIPv4,ThreatTypes, DetectionMethods, ThreatNames | evaluate bag_unpack(AR) | where SPF == "fail"



// Identify potential exfiltration scenarios with querying outbound emails with large attachments EmailEvents | where EmailDirection == "Outbound" and AttachmentCount > 0 | join EmailAttachmentInfo on NetworkMessageId, RecipientEmailAddress | where toint(FileSize) > 10000



Read more about Advanced Hunting over here and learn about the schema for Email tables over here


To start hunting using these enhancements, turn on public preview features for Microsoft 365 Defender. Leave a comment below for thoughts and questions, or use the feedback button in the portal.

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.