Forum Discussion
Outlook.exe creating and downloading
I am viewing an alert for malware and am confused about the MDE timeline. Just before the AV quarantined the file I see OUTLOOK.EXE creating and downloading an email attachment in \AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\ .
I see 0 emails with this file name or hash value in Email & Collab explorer for this user and also doing a Advance Hunt for EmailAttachmentInfo and DeviceFileEvents I get 0 results for the naming or hash in the users specific device or any device on our network.
Am I miss understanding how OUTLOOK.EXE works? Is the creation and downloading events not the user downloading a file from their email?
1 Reply
- MDE's hunting data only goes 30 days, I don't know about the email explorer. But is is possible the attachment was on an email received in the past that has aged out of the data you are searching.
