Adversaries may use post delivery events to exfiltrate data or maintain persistence by leveraging zero-hour auto purge mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or persistence tactics that evade traditional detection methods.
KQL Query
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
EmailPostDeliveryEvents
| where Timestamp >= TimeStart
| where ActionType has "ZAP"
| make-series ZappedEmails = count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| render timechart
id: c10b22a0-6021-46f9-bdaf-05bf2350a554
name: Post Delivery Events over time
description: |
This query visualises the daily amount of emails that had a post delivery action from zero-hour auto purge.
description-detailed: |
This query visualises the daily amount of emails that had a post delivery action from zero-hour auto purge in Defender for Office 365
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailPostDeliveryEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
EmailPostDeliveryEvents
| where Timestamp >= TimeStart
| where ActionType has "ZAP"
| make-series ZappedEmails = count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| render timechart
version: 1.0.0
Scenario: Daily Email Archive Job
Description: A scheduled job runs daily to archive old emails to a long-term storage system, which may trigger post delivery actions as part of the archive process.
Filter/Exclusion: Exclude events where the action is associated with an archive job (e.g., job_name = "Daily Email Archive" or tool = "Exchange Online Archive Job").
Scenario: System Maintenance Task
Description: An admin task runs periodically to clean up temporary files or purge inactive user data, which may be flagged as post delivery events.
Filter/Exclusion: Exclude events where the source is a system maintenance tool (e.g., tool = "Exchange Cleanup Tool" or source = "System Maintenance Task").
Scenario: User-Initiated Email Deletion
Description: Users may delete emails manually, which can trigger post delivery actions as the system processes the deletion.
Filter/Exclusion: Exclude events where the action is initiated by a user (e.g., user_action = "true" or action_type = "user_deletion").
Scenario: Email Retention Policy Enforcement
Description: A retention policy may automatically remove emails after a set period, which could be misinterpreted as post delivery events.
Filter/Exclusion: Exclude events where the action is related to a retention policy (e.g., policy_name = "Retention Policy 2024" or policy_type = "retention").
Scenario: Third-Party Email Migration Tool
Description: A third-party tool used for migrating emails between systems may generate post delivery events during the migration process.
Filter/Exclusion: Exclude events where the source is a known migration tool (e.g., tool = "EmailMigrate Pro" or `migration_id = “MIG-2