Microsoft-365-Defender-Hunt.../Initial access/WhenZAPed.md


# When email was ZAPed.

This query allows to verify when email matching your search condition (by default based on presence of the URL) were ZAPed and compare it with original delivery time.

## Query

```
let URL=""; // Put your URL here
EmailUrlInfo
| where Url matches regex URL 
| join (EmailEvents | where DeliveryAction == "Delivered" and EmailDirection == "Inbound") on NetworkMessageId
| project Timestamp, NetworkMessageId, Url, SenderFromAddress, SenderIPv4, RecipientEmailAddress, Subject,DeliveryAction, DeliveryLocation
| join (EmailPostDeliveryEvents | where ActionType has "ZAP") on NetworkMessageId,RecipientEmailAddress 
| extend DeliveryTime=(Timestamp)
| extend ZAPTime=(Timestamp1)
| project DeliveryTime, ZAPTime, NetworkMessageId, SenderFromAddress, SenderIPv4,RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation
| sort by DeliveryTime  asc
```
## Category

This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.

| Technique, tactic, or state | Covered? (v=yes) | Notes |
|------------------------|----------|-------|
| Initial access | x |  |
| Execution |  |  |
| Persistence |  |  | 
| Privilege escalation |  |  |
| Defense evasion |  |  | 
| Credential Access |  |  | 
| Discovery |  |  | 
| Lateral movement |  |  | 
| Collection |  |  | 
| Command and control |  |  | 
| Exfiltration |  |  | 
| Impact |  |  |
| Vulnerability |  |  |
| Misconfiguration |  |  |
| Malware, component |  |  |


## Contributor info

**Contributor:** Pawel Partyka

**GitHub alias:** pawp81

**Organization:** Microsoft

**Contact info:** @pawp81
Create WhenZAPed.md 2020-09-29 11:05:11 +03:00
			`# When email was ZAPed.`

			`This query allows to verify when email matching your search condition (by default based on presence of the URL) were ZAPed and compare it with original delivery time.`

			`## Query`

			```
			`let URL=""; // Put your URL here`
			`EmailUrlInfo`
Update WhenZAPed.md 2020-09-29 14:30:52 +03:00			`\| where Url matches regex URL`
			`\| join (EmailEvents \| where DeliveryAction == "Delivered" and EmailDirection == "Inbound") on NetworkMessageId`
Create WhenZAPed.md 2020-09-29 11:05:11 +03:00			`\| project Timestamp, NetworkMessageId, Url, SenderFromAddress, SenderIPv4, RecipientEmailAddress, Subject,DeliveryAction, DeliveryLocation`
Update WhenZAPed.md 2020-09-29 14:30:52 +03:00			`\| join (EmailPostDeliveryEvents \| where ActionType has "ZAP") on NetworkMessageId,RecipientEmailAddress`
Create WhenZAPed.md 2020-09-29 11:05:11 +03:00			`\| extend DeliveryTime=(Timestamp)`
			`\| extend ZAPTime=(Timestamp1)`
			`\| project DeliveryTime, ZAPTime, NetworkMessageId, SenderFromAddress, SenderIPv4,RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation`
			`\| sort by DeliveryTime asc`
			```
			`## Category`

			`This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.`

			`\| Technique, tactic, or state \| Covered? (v=yes) \| Notes \|`
			`\|------------------------\|----------\|-------\|`
			`\| Initial access \| x \| \|`
			`\| Execution \| \| \|`
			`\| Persistence \| \| \|`
			`\| Privilege escalation \| \| \|`
			`\| Defense evasion \| \| \|`
			`\| Credential Access \| \| \|`
			`\| Discovery \| \| \|`
			`\| Lateral movement \| \| \|`
			`\| Collection \| \| \|`
			`\| Command and control \| \| \|`
			`\| Exfiltration \| \| \|`
			`\| Impact \| \| \|`
			`\| Vulnerability \| \| \|`
			`\| Misconfiguration \| \| \|`
			`\| Malware, component \| \| \|`


			`## Contributor info`

			`Contributor: Pawel Partyka`

			`GitHub alias: pawp81`

			`Organization: Microsoft`

			`Contact info: @pawp81`