Adversaries may use post delivery events to exfiltrate data or establish command and control by leveraging the final location of delivered emails. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential exfiltration or C2 activity that may bypass traditional email security controls.
KQL Query
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
let quarantine=EmailPostDeliveryEvents
| where Timestamp >= TimeStart
| where DeliveryLocation has 'Quarantine'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Quarantine";
let delete=EmailPostDeliveryEvents
| where Timestamp >= TimeStart
| where DeliveryLocation has 'Delete'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Delete";
let junk=EmailPostDeliveryEvents
| where Timestamp >= TimeStart
| where DeliveryLocation has 'Junk'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Junk";
let inbox=EmailPostDeliveryEvents
| where Timestamp >= TimeStart
| where DeliveryLocation has 'Inbox'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Inbox";
union quarantine,delete,junk,inbox
| project Count, Details, Timestamp
| render timechart
id: 9b83fc5e-1271-4a5b-af84-e7ebf5436180
name: Post Delivery Events by Location
description: |
This query visualises the amount of emails that had a post delivery action, summarizing the data daily by the final location as a result of the action
description-detailed: |
This query visualises the amount of emails that had a post delivery action, summarizing the data daily by the final location as a result of the action
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
let quarantine=EmailPostDeliveryEvents
| where Timestamp >= TimeStart
| where DeliveryLocation has 'Quarantine'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Quarantine";
let delete=EmailPostDeliveryEvents
| where Timestamp >= TimeStart
| where DeliveryLocation has 'Delete'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Delete";
let junk=EmailPostDeliveryEvents
| where Timestamp >= TimeStart
| where DeliveryLocation has 'Junk'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Junk";
let inbox=EmailPostDeliveryEvents
| where Timestamp >= TimeStart
| where DeliveryLocation has 'Inbox'
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| extend Details = "Inbox";
union quarantine,delete,junk,inbox
| project Count, Details, Timestamp
| render timechart
version: 1.0.0
Scenario: Scheduled system backups are initiated from a remote location, triggering post-delivery events due to automated email notifications sent after the backup completes.
Filter/Exclusion: Exclude emails sent from known backup notification systems (e.g., backup@company.com) or filter by email_subject containing “Backup Completed”.
Scenario: A user runs a scheduled admin task (e.g., using PowerShell or Ansible) that sends a confirmation email after the task completes, which is logged as a post-delivery event.
Filter/Exclusion: Exclude emails sent from admin task accounts (e.g., admin@company.com) or filter by email_sender matching known admin tools or scripts.
Scenario: A legitimate email marketing campaign (e.g., using Mailchimp or HubSpot) sends a post-delivery confirmation email to users after a campaign is delivered.
Filter/Exclusion: Exclude emails from known marketing platforms or filter by email_from matching marketing domain names (e.g., @mailchimp.com or @hubspot.com).
Scenario: A user manually sends an email from a remote location using Outlook Web Access (OWA), and the post-delivery event is logged due to the email being sent from a remote IP.
Filter/Exclusion: Exclude emails sent from known internal IP ranges or filter by email_sender matching internal user accounts.
Scenario: A system health check job (e.g., Nagios or Zabbix) sends an email alert after a check completes, which is captured as a post-delivery event.
Filter/Exclusion: Exclude emails from monitoring tools (e.g., nagios@company.com) or filter by email_subject containing “System Health Check” or similar keywords.