ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Agent Foskett • Microsoft Defender XDR • Attachment Investigation

The Attachment Was Never Opened

The email arrived quietly.

The attachment passed initial checks. No major alert fired. The user said they never opened it.

But later that day, Microsoft Defender XDR showed file activity on the endpoint, PowerShell execution, outbound network traffic and identity behaviour that did not quite fit.

This Agent Foskett investigation follows the evidence from email delivery to attachment metadata, SHA256 pivots, endpoint execution and post-delivery investigation.

The dangerous part was not just the attachment.

It was what happened after the attachment landed.

Discuss your environment Back to Investigation Hub
Agent Foskett Microsoft Defender XDR attachment investigation using KQL
Briefing summary

A Microsoft Defender XDR investigation into suspicious attachment delivery, EmailAttachmentInfo, DeviceFileEvents, DeviceProcessEvents and the endpoint activity that followed.

Trace attachment delivery
Pivot by SHA256 and file activity
Correlate email, endpoint and identity signals
🚨 The attachment was only the beginning.
A malicious attachment investigation should not stop at delivery. The real answer may be hidden in file creation, process execution, network activity, identity behaviour and post-delivery remediation.
Book a security review →

What happened

A user received an email with an attachment. The message did not appear catastrophic at first. No one reported a phishing attempt. But endpoint telemetry later showed activity that needed to be explained.
The email was delivered The first question was simple: did the message reach the user, and what attachment arrived with it?
The attachment looked ordinary Compressed files, invoices, documents and archives can appear routine while still creating investigation risk.
The endpoint told the next story DeviceFileEvents and DeviceProcessEvents showed activity that connected the attachment to later behaviour.

Why attachment investigations matter

Modern phishing is not always about a user immediately clicking a link. Sometimes the chain starts with an attachment, an extracted file, a script, or a document that triggers activity later.
Files create persistence of evidence Unlike a link click, a file may leave traces across downloads, temp folders, extraction paths and process execution.
Initial scanning is not the whole story Threat intelligence changes. A file can look acceptable at first and become suspicious after behaviour or reputation changes.
SHA256 becomes the pivot Once you know the file hash, you can hunt across devices, users, processes and network connections.

First hunt: find delivered attachments

Start with EmailAttachmentInfo. This table helps identify attachments associated with messages and gives you the file name, file type, size and hash values needed for deeper investigation.
email-attachment-delivery-investigation.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
EmailAttachmentInfo
| where Timestamp > ago(30d)
| project Timestamp,
          NetworkMessageId,
          FileName,
          SHA256,
          FileType,
          FileSize,
          RecipientEmailAddress,
          SenderFromAddress
| order by Timestamp desc
What to review Look for unusual file types, archive files, unfamiliar senders, repeated attachments and high-value recipients.
Why it matters Email attachment telemetry gives you the file evidence needed to pivot beyond the inbox.
Best next pivot Use NetworkMessageId to review the original message and SHA256 to hunt endpoint activity.

Second hunt: connect the attachment to the original email

The attachment should be investigated together with the message that carried it. EmailEvents helps show sender identity, recipient, subject, authentication details and delivery action.
attachment-to-email-events-correlation.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
let Attachments =
EmailAttachmentInfo
| where Timestamp > ago(30d)
| project NetworkMessageId, FileName, SHA256, FileType;
Attachments
| join kind=inner (
    EmailEvents
    | where Timestamp > ago(30d)
    | project Timestamp, NetworkMessageId, SenderFromAddress,
              RecipientEmailAddress, Subject, DeliveryAction, AuthenticationDetails
) on NetworkMessageId
| order by Timestamp desc
What to review Check whether the email was delivered, quarantined, spoofed, failed authentication or sent to multiple users.
Why it matters A suspicious file becomes more important when the original message also shows sender mismatch, DMARC failure or risky delivery.
Best next pivot Move from the SHA256 value into DeviceFileEvents to determine whether the attachment appeared on an endpoint.

Third hunt: pivot from SHA256 into endpoint file activity

Once the attachment hash is known, DeviceFileEvents can help identify whether the file appeared on a device, where it was written and which process or account was involved.
attachment-sha256-devicefileevents-pivot.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 == "PUT_SHA256_HERE"
| project Timestamp,
          DeviceName,
          InitiatingProcessAccountName,
          FolderPath,
          FileName,
          SHA256,
          ActionType
| order by Timestamp desc
What to review Look for file creation, rename, extraction paths, downloads folders, temp directories and unexpected devices.
Why it matters The file may have moved from the inbox to the endpoint even if the user does not remember opening it.
Best next pivot Review process execution around the same timestamp on the same device and account.

Fourth hunt: look for suspicious process execution

The important signal may appear after the file lands. Attackers often rely on trusted Windows tools such as PowerShell, mshta, rundll32, wscript or cmd to continue execution.
post-attachment-process-execution.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
DeviceProcessEvents
| where Timestamp > ago(14d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "mshta.exe", "rundll32.exe", "wscript.exe")
| where ProcessCommandLine has_any (
    "-enc", "downloadstring", "invoke-webrequest",
    "frombase64string", "http", "temp", "appdata"
)
| project Timestamp, DeviceName, AccountName, FileName,
          ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
What to review Look for encoded commands, download cradles, script execution, unusual parent processes and suspicious working directories.
Why it matters The attachment may only be the delivery method. The real compromise begins when trusted system tools are abused.
Best next pivot Review network connections, child processes and any identity activity after execution.

Fifth hunt: check outbound network activity

If a suspicious process started after attachment activity, network telemetry can reveal whether the device contacted external infrastructure, downloaded payloads or connected to suspicious domains.
post-attachment-network-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
DeviceNetworkEvents
| where Timestamp > ago(14d)
| where InitiatingProcessFileName in~ (
    "powershell.exe", "cmd.exe", "mshta.exe",
    "rundll32.exe", "wscript.exe"
)
| project Timestamp,
          DeviceName,
          InitiatingProcessAccountName,
          InitiatingProcessFileName,
          RemoteUrl,
          RemoteIP,
          RemotePort
| order by Timestamp desc
What to review Look for unusual RemoteUrl values, unfamiliar IP addresses, odd ports and process-to-network behaviour that does not match the user.
Why it matters A file that leads to outbound connections may indicate payload retrieval, command and control or staged compromise.
Best next pivot Review the user account, device risk, sign-ins and cloud activity after the network event.

What this kind of activity can indicate

Attachment-based investigations can reveal several different outcomes. Not every suspicious file means confirmed compromise, but every signal should be followed until the behaviour makes sense.
Malware delivery attempt The attachment may have been used to deliver a payload, script or secondary download.
Credential theft workflow Some attachments do not execute malware. They lure users into opening links, forms or fake login pages.
Living-off-the-land activity Attackers may use normal Windows tools after delivery, reducing the chance of a simple signature-based alert.
Delayed detection Threat intelligence may only classify a file as malicious after more evidence is available.
User uncertainty The user may not remember opening, previewing, downloading or extracting the attachment.
Confirmed compromise If attachment, file, process, network and identity signals align, the incident should be treated seriously.

What dashboards miss

Dashboards are useful, but they do not always explain the full story. A security portal may show no immediate crisis while the telemetry still contains the chain of evidence.
The message may be low severity A low-severity or informational email signal can become serious when endpoint execution follows.
The endpoint may hold the answer The decisive evidence may not be in the email body. It may be in process creation, file activity or network telemetry.
Correlation beats alert chasing Email, file, process, network and identity data together show what happened far better than one alert alone.

The real investigation flow

A strong Microsoft Defender XDR attachment investigation follows the evidence across multiple telemetry sources instead of stopping at the first result.
1. Email delivery Review EmailEvents, delivery action, authentication details and sender context.
2. Attachment metadata Use EmailAttachmentInfo to identify file names, file types, hash values and recipients.
3. File activity Pivot into DeviceFileEvents to find whether the attachment appeared or changed on endpoints.
4. Process execution Review DeviceProcessEvents for PowerShell, scripts, LOLBins and unusual parent-child relationships.
5. Network and identity Check outbound connections, sign-ins, MFA activity and cloud access after execution.
6. Response Decide whether the file was benign, suspicious, blocked, remediated or part of confirmed compromise.

How GEMXIT approaches attachment investigations

At GEMXIT, we do not stop at whether an attachment was detected. We follow the complete chain from email delivery to endpoint behaviour and identity impact.
We identify the file evidence EmailAttachmentInfo, EmailEvents, NetworkMessageId and SHA256 values help establish what arrived and who received it.
We follow the behaviour DeviceFileEvents, DeviceProcessEvents and DeviceNetworkEvents help explain what happened after the file landed.
We improve response The outcome should strengthen Safe Attachments, Defender policies, user reporting, investigation playbooks and KQL visibility.
The user said the attachment was never opened. Defender showed the evidence.
GEMXIT helps organisations investigate Microsoft Defender XDR attachment telemetry, endpoint behaviour, identity pivots and practical KQL threat hunting workflows.
Contact GEMXIT

Final thought

The attachment may not be the incident. It may be the doorway.
At GEMXIT We help organisations investigate suspicious attachments, Microsoft Defender XDR telemetry, endpoint activity, identity behaviour and practical KQL hunting workflows.
Agent Foskett mindset The important question is not only:

“Was the attachment opened?”

It is:

“What changed after it arrived?”

Continue the investigation with The PowerShell Never Triggered An Alert, The Dashboard Was Green, When Nothing Looks Wrong, The Missing Click and Microsoft Defender KQL Threat Hunting Complete Guide.

Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD
ACSC Logo

GEMXIT PTY LTD  |  GEMXIT UK LTD  |  © GEMXIT 2026

The Attachment Was Never Opened

This Agent Foskett investigation explains how Microsoft Defender XDR, EmailAttachmentInfo, EmailEvents, DeviceFileEvents, DeviceProcessEvents and KQL can be used to investigate suspicious email attachments and endpoint activity.

Microsoft Defender XDR Attachment Investigation

GEMXIT investigates suspicious attachments, SHA256 pivots, file activity, PowerShell execution, DeviceNetworkEvents, Safe Attachments behaviour and post-delivery evidence across Microsoft 365 and Defender XDR environments.

EmailAttachmentInfo, DeviceFileEvents and KQL Threat Hunting

Example investigation areas include delivered attachments, NetworkMessageId, SHA256 hunting, DeviceFileEvents, DeviceProcessEvents, suspicious PowerShell, living-off-the-land activity and endpoint-to-identity investigation workflows.