ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Agent Foskett • Microsoft Defender XDR • EmailAttachmentInfo

The User Opened The Attachment Two Days Later

The email looked harmless.

It arrived on Monday morning.

Nobody reported it.

No alert fired.

Then on Wednesday afternoon, the attachment was opened.

The delay changed the investigation.

This Agent Foskett investigation explores how defenders can use EmailEvents, EmailAttachmentInfo, timestamps and KQL to identify attachments that become dangerous long after the email was delivered.

Discuss email investigations Back to Investigation Hub
Agent Foskett investigates a suspicious attachment opened two days after delivery in Microsoft Defender XDR
Briefing summary

An attachment may not become important when the email arrives. It becomes important when somebody opens it, saves it, executes it or when the file hash appears somewhere else in the environment.

Track delayed attachment activity
Correlate EmailEvents and EmailAttachmentInfo
Follow the attachment timeline
📎 The attachment did not matter until somebody opened it.
Email delivery is only the start. EmailAttachmentInfo helps defenders connect suspicious files back to the message, recipient, sender and timeline.
Book a security review →

Why delayed attachment activity matters

Phishing investigations often focus on the moment an email arrives. But some incidents do not start immediately. A user might ignore an email for hours or days, then return to it later and open the attachment when the original alert has already been forgotten.
The email arrived quietlyThe message was delivered, the attachment was present and nothing obvious happened at the time of delivery.
The attachment became active laterThe important activity happened after the email had been sitting in the mailbox for two days.
The timeline exposed the delayComparing delivery time, attachment metadata and later endpoint activity can show the gap between arrival and user action.

First hunt: find recent email attachments

Start with EmailAttachmentInfo to identify attachments seen in Microsoft Defender XDR. This gives defenders file names, hashes and message identifiers that can be used as investigation pivots.
recent-email-attachments.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
EmailAttachmentInfo
| where Timestamp > ago(30d)
| project Timestamp,
          NetworkMessageId,
          FileName,
          FileType,
          SHA256
| order by Timestamp desc
What to reviewLook for unusual file names, risky file types, repeated hashes or attachments sent to multiple recipients.
Why it mattersNetworkMessageId lets you connect the attachment back to the email that delivered it.
Best next pivotUse the hash, file name or message identifier to move from attachment metadata into email and endpoint telemetry.

Second hunt: match attachments back to the email

EmailAttachmentInfo tells you about the file. EmailEvents tells you about the message. Joining them together gives the sender, recipient, subject and delivery details.
attachments-to-email-events.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
EmailAttachmentInfo
| where Timestamp > ago(30d)
| join kind=inner (
    EmailEvents
    | where Timestamp > ago(30d)
    | project EmailTime = Timestamp,
              NetworkMessageId,
              SenderFromAddress,
              RecipientEmailAddress,
              Subject,
              DeliveryAction
) on NetworkMessageId
| project EmailTime, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, FileName, SHA256, DeliveryAction
| order by EmailTime desc

When an attachment deserves deeper investigation

Not every attachment is malicious. The goal is to determine whether the file, sender, recipient, timing and later endpoint activity fit normal behaviour.
Suspicious file contextLook for uncommon file types, double extensions, invoice themes, password protected archives or attachments sent from unexpected domains.
Two-day delayA delayed open can matter because the user may interact with the attachment after the original email has faded from attention.
Surrounding endpoint activityCheck whether the file hash, file name or user account appears in DeviceFileEvents, DeviceProcessEvents or other endpoint telemetry.

Third hunt: search endpoint activity for the attachment hash

If the attachment has a SHA256 value, search endpoint telemetry to see whether the same file appeared on devices after delivery.
attachment-hash-on-endpoints.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
let SuspiciousHashes =
EmailAttachmentInfo
| where Timestamp > ago(30d)
| where FileName has_any ("invoice", "statement", "payment")
| distinct SHA256;
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in (SuspiciousHashes)
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp asc

Fourth hunt: build the attachment timeline

Once you know the message, attachment and possible endpoint activity, build a timeline. The question is not only whether the attachment existed, but what happened after the user interacted with it.
attachment-investigation-timeline.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
let TargetMessage =
EmailEvents
| where Timestamp > ago(30d)
| where Subject has "invoice"
| project EmailTime = Timestamp, NetworkMessageId, SenderFromAddress, RecipientEmailAddress, Subject;
TargetMessage
| join kind=inner (
    EmailAttachmentInfo
    | project AttachmentTime = Timestamp, NetworkMessageId, FileName, FileType, SHA256
) on NetworkMessageId
| project EmailTime, AttachmentTime, SenderFromAddress, RecipientEmailAddress, Subject, FileName, FileType, SHA256
| order by EmailTime asc

What attachment telemetry can prove

EmailAttachmentInfo does not prove execution by itself. It proves attachment metadata and gives defenders the fields needed to pivot. When attachment data connects to endpoint file or process activity, the investigation becomes much stronger.
The attachment existedThe email contained a file, and the attachment metadata provides a file name, hash and message identifier.
The delivery context matteredSender, recipient, subject and delivery action can explain how the attachment reached the user.
The hash pivot remains availableSHA256 can connect the attachment to endpoint file activity, detections, process execution and wider investigation scope.

The Agent Foskett investigator mindset

Do not stop because the email looked quiet at delivery. Do not stop because nobody clicked anything. Attachments can sit untouched and become important later when the user finally opens the message.
Ask what happened after deliveryWas the attachment opened, saved, detected, quarantined, executed or seen on an endpoint?
Follow the timestampCompare the delivery time with later file activity so the delay is visible in the investigation timeline.
Correlate weak signalsAn invoice subject, unknown sender, attachment hash and delayed endpoint activity together can explain what no single event could.

How GEMXIT approaches attachment investigations

GEMXIT helps organisations use Microsoft Defender XDR telemetry to move beyond simple inbox checks and understand how suspicious attachments move from email delivery into user activity and endpoint evidence.
We review email telemetry visibilityWe help check whether EmailEvents, EmailAttachmentInfo and Defender XDR telemetry can support attachment investigations.
We build attachment hunting logicWe help connect email delivery, attachment metadata, file hashes, endpoint activity and timestamps into practical KQL workflows.
We improve investigation readinessWe help teams understand when attachment activity deserves user review, endpoint isolation, hash blocking, device investigation or wider email hunting.
The email arrived on Monday. The investigation started on Wednesday.
GEMXIT helps organisations investigate Microsoft Defender XDR EmailAttachmentInfo, EmailEvents, file hashes, delayed user activity and KQL hunting workflows.
Contact GEMXIT

Final thought

The email arrived.

Nothing happened.

Tuesday passed.

Still nothing.

Then on Wednesday afternoon, the attachment was opened.

The alert did not begin when the email arrived.

The investigation began when the file became active.

The user opened the attachment two days later.
At GEMXITWe help organisations investigate Microsoft Defender XDR, Microsoft Sentinel, EmailEvents, EmailAttachmentInfo, endpoint telemetry, attachment hashes and real-world security operations workflows.
Agent Foskett mindsetThe question is not only: “Was the email delivered?”

It is: “What happened to the attachment after delivery?”

Continue the investigation with The Attachment Was Never Opened, The Link Was Clicked After The Email Was Delivered, The User Clicked The Link Three Days Later, Investigating EmailEvents, UrlClickEvents, KQL Threat Hunting, Microsoft Defender KQL Threat Hunting Complete Guide, Microsoft Defender and the GEMXIT Security Review.

Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD
ACSC Logo

GEMXIT PTY LTD  |  GEMXIT UK LTD  |  © GEMXIT 2026

The User Opened The Attachment Two Days Later

This Agent Foskett investigation explains how Microsoft Defender XDR, EmailEvents, EmailAttachmentInfo, NetworkMessageId, timestamps and KQL can reveal suspicious attachment activity days after email delivery.

EmailAttachmentInfo and EmailEvents Microsoft Defender XDR investigation

GEMXIT helps organisations investigate email attachments, suspicious files, delayed user activity, attachment hashes, NetworkMessageId correlation and Microsoft Defender Advanced Hunting workflows.

Attachment investigation with KQL

EmailAttachmentInfo and EmailEvents can help defenders connect suspicious attachments back to delivered email messages, recipients, senders, subjects, timestamps and investigation timelines in Microsoft Defender XDR.