Building a Complete Phishing Investigation in Microsoft Defender XDR.
At 8:14 AM the phishing email arrived.
At 8:18 AM a user clicked the embedded link.
Safe Links inspected the destination. One user continued.
A suspicious process started. Moments later, the device contacted an unfamiliar server.
Each event looked small on its own.
Together, they told the full story.
Agent Foskett was not investigating an email anymore. He was investigating an attack.
Lesson overview
Learn how to combine Microsoft Defender XDR telemetry to investigate a phishing attack from initial email delivery through user interaction, endpoint execution and outbound network communication.
Why complete investigations matter
The complete phishing investigation workflow
Step 1 — Confirm the email delivery
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
EmailEvents
| where Timestamp > ago(24h)
| where Subject contains "Password expiry"
| project Timestamp,
SenderFromAddress,
RecipientEmailAddress,
Subject,
DeliveryAction,
NetworkMessageId,
InternetMessageId,
ReportId
| order by Timestamp asc
Step 2 — Identify URL click activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
UrlClickEvents
| where Timestamp > ago(24h)
| project Timestamp,
AccountUpn,
Url,
UrlChain,
IsClickedThrough,
ActionType,
NetworkMessageId
| order by Timestamp asc
Step 3 — Correlate email delivery with click activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
EmailEvents
| join kind=inner (
UrlClickEvents
) on NetworkMessageId
| project EmailTime = EmailEvents.Timestamp,
ClickTime = UrlClickEvents.Timestamp,
RecipientEmailAddress,
SenderFromAddress,
Subject,
Url,
UrlChain,
IsClickedThrough,
ActionType
| order by ClickTime asc
Step 4 — Look for process execution after the email
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
EmailEvents
| join kind=inner (
DeviceProcessEvents
) on $left.RecipientEmailAddress == $right.AccountUpn
| where DeviceProcessEvents.Timestamp between (EmailEvents.Timestamp .. EmailEvents.Timestamp + 1h)
| project EmailTime = EmailEvents.Timestamp,
ProcessTime = DeviceProcessEvents.Timestamp,
RecipientEmailAddress,
DeviceName,
Subject,
FileName,
InitiatingProcessFileName,
ProcessCommandLine
| order by ProcessTime asc
Step 5 — Review outbound network activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
EmailEvents
| join kind=inner (
DeviceNetworkEvents
) on $left.RecipientEmailAddress == $right.AccountUpn
| where DeviceNetworkEvents.Timestamp between (EmailEvents.Timestamp .. EmailEvents.Timestamp + 1h)
| project EmailTime = EmailEvents.Timestamp,
NetworkTime = DeviceNetworkEvents.Timestamp,
RecipientEmailAddress,
DeviceName,
Subject,
InitiatingProcessFileName,
RemoteUrl,
RemoteIP
| order by NetworkTime asc
Step 6 — Check file activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName has_any (".exe", ".js", ".vbs", ".lnk", ".zip", ".iso")
| project Timestamp,
DeviceName,
InitiatingProcessAccountUpn,
FileName,
FolderPath,
SHA256,
InitiatingProcessFileName
| order by Timestamp asc
How to read the complete timeline
Real-world investigation
Investigation checklist
Related Agent Foskett Academy lessons
Academy milestone
Coming next
Final thought
Building a Complete Phishing Investigation in Microsoft Defender XDR
Agent Foskett Academy Lesson 80 teaches defenders how to build a complete phishing investigation in Microsoft Defender XDR.
Complete Defender XDR phishing investigation workflow
This capstone lesson explains how EmailEvents, UrlClickEvents, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, NetworkMessageId, InternetMessageId, ReportId, UrlChain, IsClickedThrough and ActionType help defenders reconstruct a phishing attack from email delivery to endpoint compromise.
