Agent Foskett Academy • Lesson 44 • Investigating EmailAttachmentInfo

Investigating EmailAttachmentInfo in Microsoft Defender XDR

EmailAttachmentInfo records attachment details for emails processed by Microsoft Defender for Office 365.

It helps defenders answer a key investigation question: what file was attached, what was its hash, and where else did it appear?

In this lesson, you'll learn how to investigate filenames, hashes, suspicious extensions and email-delivered payloads using EmailAttachmentInfo.

Agent Foskett Academy lesson explaining EmailAttachmentInfo in Microsoft Defender XDR
Lesson overview

Learn how EmailAttachmentInfo helps defenders investigate attachments, file hashes and suspicious email-delivered payloads.

Review attachment metadata
Hunt suspicious filenames and hashes
Pivot into email and endpoint evidence

Why EmailAttachmentInfo matters

EmailEvents tells you an email existed. EmailAttachmentInfo tells you what files were attached to it.
Attachments often carry the payloadPhishing and malware investigations often turn on the attachment name, file hash and relationship to the original message.
Hashes create pivotsSHA256 and SHA1 values allow defenders to search for the same file across email and endpoint telemetry.
NetworkMessageId connects the storyNetworkMessageId lets defenders join attachment evidence back to EmailEvents, UrlClickEvents and post-delivery investigation tables.

Investigation scenario

A user received a suspicious email with an attachment. EmailEvents showed the message. EmailAttachmentInfo identified the file, its hash and whether the same attachment appeared elsewhere.
The email was suspiciousThe sender, subject and delivery action made the message worth investigating.
The attachment became the evidenceThe filename and hash helped identify whether the file was unique, repeated or connected to other recipients.
The hash became the pivotOnce the hash was known, defenders could search endpoint file telemetry to see whether the attachment was downloaded, opened or written to disk.

Step 1 — Review recent attachment activity

Start with recent attachment records and keep the fields that explain who received the attachment, what it was called and which hashes were recorded.
emailattachmentinfo-recent-attachments.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
EmailAttachmentInfo
| where Timestamp > ago(7d)
| project Timestamp, NetworkMessageId, SenderFromAddress, RecipientEmailAddress,
          FileName, FileType, SHA256, SHA1, ThreatTypes
| order by Timestamp desc

Step 2 — Find common attachment names and hashes

Summarise attachment names and hashes to understand what files are appearing most often across email traffic.
emailattachmentinfo-common-files.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
EmailAttachmentInfo
| where Timestamp > ago(30d)
| summarize Messages = dcount(NetworkMessageId), Recipients = dcount(RecipientEmailAddress)
                            by FileName, FileType, SHA256
| top 50 by Messages desc

Step 3 — Hunt for suspicious attachment extensions

Search for attachment names and extensions that are commonly abused during phishing, malware staging and payload delivery.
emailattachmentinfo-suspicious-extensions.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
EmailAttachmentInfo
| where Timestamp > ago(14d)
| where FileName has_any (".iso", ".img", ".lnk", ".js", ".vbs", ".hta", ".scr", ".exe", ".zip")
| project Timestamp, SenderFromAddress, RecipientEmailAddress,
          FileName, FileType, SHA256, ThreatTypes, NetworkMessageId
| order by Timestamp desc

Step 4 — Investigate one email message

When a message becomes interesting, filter by NetworkMessageId and list every attachment connected to that email.
emailattachmentinfo-one-message.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
let TargetMessageId = "replace-with-network-message-id";
EmailAttachmentInfo
| where NetworkMessageId == TargetMessageId
| project Timestamp, SenderFromAddress, RecipientEmailAddress,
          FileName, FileType, SHA256, SHA1, ThreatTypes
| order by Timestamp asc

Step 5 — Join attachments back to EmailEvents

Join EmailAttachmentInfo to EmailEvents so attachment evidence can be viewed beside the message subject, delivery action and threat classification.
emailattachmentinfo-join-emailevents.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
EmailAttachmentInfo
| where Timestamp > ago(7d)
| join kind=leftouter (
                            EmailEvents
    | where Timestamp > ago(7d)
    | project NetworkMessageId, Subject, DeliveryAction, ThreatTypes, EmailDirection
) on NetworkMessageId
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject,
          DeliveryAction, FileName, FileType, SHA256, ThreatTypes
| order by Timestamp desc

Step 6 — Pivot from email attachment to endpoint file activity

Use attachment hashes to search DeviceFileEvents and determine whether an email-delivered file appeared on an endpoint.
emailattachmentinfo-pivot-to-devicefileevents.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
let AttachmentHashes = EmailAttachmentInfo
| where Timestamp > ago(7d)
| where isnotempty(SHA256)
| distinct SHA256;
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA256 in (AttachmentHashes)
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, SHA256,
          InitiatingProcessFileName, InitiatingProcessAccountName
| order by Timestamp desc

Common investigation uses

EmailAttachmentInfo is most useful when defenders need to move from a suspicious message to the file evidence carried by that message.
Investigate phishing attachmentsReview attachment names, file types and hashes connected to suspicious emails and phishing campaigns.
Track repeated payloadsUse SHA256 values to find the same attachment across multiple recipients, senders or messages.
Connect email to endpoint activityPivot from attachment hashes into DeviceFileEvents to check whether the file appeared on a device.

Common mistakes

Attachment investigations can go wrong when defenders stop at the email and never follow the file evidence.
Only reading the subject lineThe subject may look harmless while the attachment name, type or hash tells a different story.
Ignoring the hashThe filename may change, but the hash can reveal the same payload across multiple messages or endpoints.
Not joining tablesEmailAttachmentInfo becomes much stronger when joined to EmailEvents, UrlClickEvents, EmailPostDeliveryEvents and DeviceFileEvents.
EmailAttachmentInfo is where suspicious email becomes file evidence.
Use it to identify the attachment, collect the hash and follow the payload across the wider incident timeline.
Back to Academy →

What you learned

EmailAttachmentInfo records attachment metadataYou can use it to review attachment names, file types, hashes, recipients and message identifiers.
NetworkMessageId connects the email storyYou can join attachment records back to EmailEvents and other email investigation tables.
Hashes support wider pivotsAttachment hashes can help defenders search endpoint telemetry and identify whether a payload reached a device.

Related Agent Foskett Academy lessons

Investigating EmailEventsStart with the message metadata before reviewing the attachments connected to the email.
Investigating UrlClickEventsReview whether users clicked links connected to suspicious email activity.
Investigating DeviceFileEventsPivot from attachment hashes into endpoint file creation and download activity.
Investigating AlertEvidenceConnect alerts to the email, files, users and devices involved in an investigation.
Connecting Tables with joinJoin EmailAttachmentInfo to EmailEvents and endpoint telemetry.
Building Investigation TimelinesTurn email and file evidence into a clear incident timeline.
Using has_anySearch for multiple suspicious attachment names, file types and indicators.
Extracting Evidence with extract()Extract useful indicators from filenames, subjects and attachment-related fields.

Coming next

Lesson 45 — Investigating EmailUrlInfo in Microsoft Defender XDRNext, Agent Foskett Academy will continue email investigations with EmailUrlInfo, helping defenders investigate URLs extracted from emails and connect them to phishing activity.
Why this mattersAfter investigating attachments, defenders also need to understand the URLs embedded in messages and how they connect to user clicks, Safe Links and post-delivery activity.
What you will learn nextLearn how to review email URLs, suspicious domains, message identifiers and URL evidence connected to phishing campaigns.

Final thought

EmailAttachmentInfo turns the email from a message into evidence you can follow.
Agent Foskett mindsetDo not stop at the inbox. Name the file, capture the hash, connect the message and follow the payload wherever it appears next.
Follow the fileA suspicious attachment may start in email, but the real story often continues in endpoint telemetry.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating EmailAttachmentInfo in Microsoft Defender XDR

Agent Foskett Academy Lesson 44 teaches defenders how to use EmailAttachmentInfo to investigate email attachments, attachment names, file hashes, suspicious payloads and malware delivery evidence in Microsoft Defender XDR.

Learn EmailAttachmentInfo for Microsoft Defender XDR hunting

This lesson explains how EmailAttachmentInfo supports Microsoft Defender XDR investigations by helping defenders review attachment metadata, join email evidence, track hashes and pivot into endpoint file telemetry.