Exchange Onlne Email Investigation

Page content

This post has some KQL to report “who read the sensitive email and who opened the sensitive attachment” using Defender for Office365 and Defender for Endpoint.

There are a few audit logs available to build a timeline of what happened with this email (send,recieve,forward) and who interacted with it:

  • Office365 unified audit log (Activity Explorer/CloudAppEvents table)
  • Defender for Office365/Exchange Online Protection mail flow events
  • Defender for Endpoint (DeviceFileEvents)
  • Mailbox audit logs (mail item accessed events)

M365 has a Activity Explorer GUI for exploring activity around files. Look here to see activity around the sensitive attachment. You’ll see the filename can change as the attachment is downloaded/forwarded, or there similar unrelated files, so find the filesize and SHA256 hash to focus in exactly this document.

To create your own custom reports, based on the data behind Activity Explorer, there is the cloudappevents table within M365 Defender for Endpoint Advanced Hunting. Here you can build KQL queries to drill down into the data.

KQL to find and report on interactions with email attachment

Simple KQL to report on DeviceFileEvents. Desktop events when the attached document was created, attached, opened.

KQL to find who interacted with an email message

Mailbox audit logs appear in Office365 unified audit logs in table CloudAppEvents. The JSON document embedded in RawEventData field can be unpacked into columns (here they’re prefixed with “Event_”). Once this is done you can filter further. To/From/Subject isn’t available for email messages here, only the internet message ID is recorded. The Folders value in the JSON has more JSON which includes the internet message IDs. Find the message ID via eDiscovery or email message headers. Note: some interactions with the email of interest will be Microsoft background processing, your CRM software or your backup software. So check other fields like client agent string.

KQL to track sharing of a file via email

The EmailAttachmentInfo table can be use to follow the path of a file as its shared and reshared via email attachments. More useful information for your timeline of events.

PowerShell to export mailbox audit log to CSV with internet message IDs

You can also use PowerShell with the search-mailboxAuditLog command. In Excel you can use conditional formatting rules to highlight the emails of interest by their internet message IDs.

Happy hunting.

Find more IT Infrastructure tips at