KQL Search

Query Details

HomeAI ToolsDevice Query

IC Catching Emojis Into Email Attachment Files Names

Query

**[IC] - Catching Emojis into Email Attachment Files names**

| Technique ID | Title    |
| ---  | --- |
| T1036 | Masquerading |


| Author | Sergio Albea (16/03/2026)   |
| ---  | --- |

Attackers take advantage of the emojis because they help the content stand out and gets more attention than plain text. It not apply just to Email Subject if not that it also applies to Attachment Files which based on my experience, legitime file not use to have icons in their file names.For example:

- 📄Invoice.pdf
- 🔐Reset_Password.html
- 📦Delivery_Document.zip

This can help find:

- Suspicious files dropped on emails
- Files downloaded from phishing emails
- User-downloaded /opening scam files
- Payloads with social engineering names

```
// Sergio Albea 16-03-2026 ©️
EmailAttachmentInfo
| where Timestamp > ago(7d) and isnotempty(FileExtension) and isnotempty(FileName)
| extend Icons = extract_all(@"([\x{1F300}-\x{1FAFF}\x{2600}-\x{27BF}])", FileName)
| where isnotempty(Icons)
| join kind=inner (EmailEvents) on NetworkMessageId
| extend SenderIP = iff(isnotempty(SenderIPv4),SenderIPv4,SenderIPv6)
| extend geo_ip = tostring(geo_info_from_ip_address(SenderIP).country)
| project Timestamp,SenderDisplayName,SenderFromAddress,SenderIP,geo_ip,FileName,FileExtension,RecipientEmailAddress,Icons
| order by Timestamp desc
```

Explanation

This KQL (Kusto Query Language) query is designed to identify suspicious email attachments that contain emojis in their file names. Here's a simple breakdown of what the query does:

  1. Data Source: The query starts by accessing a table called EmailAttachmentInfo, which presumably contains information about email attachments.

  2. Time Filter: It filters the data to include only records from the past 7 days (Timestamp > ago(7d)).

  3. File Name and Extension Check: It ensures that both the file extension and file name are not empty (isnotempty(FileExtension) and isnotempty(FileName)).

  4. Extracting Emojis: The query uses a regular expression to extract emojis from the file names. Emojis are represented by specific Unicode ranges, and the query captures them into a new column called Icons.

  5. Filtering for Emojis: It filters the results to include only those attachments that have emojis in their file names (isnotempty(Icons)).

  6. Joining with Email Events: The query joins the filtered attachment data with another table called EmailEvents using a common field NetworkMessageId. This likely enriches the data with additional email-related information.

  7. IP and Geolocation: It determines the sender's IP address and attempts to find the country associated with that IP address (geo_info_from_ip_address(SenderIP).country).

  8. Selecting and Ordering Data: Finally, it selects specific columns to display, such as the timestamp, sender information, recipient email, file name, file extension, and extracted emojis. The results are ordered by the timestamp in descending order.

In summary, this query helps identify potentially suspicious email attachments that use emojis in their file names, which could be a tactic used by attackers to make malicious files more noticeable or appealing.

Details

Sergio Albea profile picture

Sergio Albea

Released: March 17, 2026

Tables

EmailAttachmentInfoEmailEvents

Keywords

EmailAttachmentFilesUserSenderRecipientTimestampIconsGeoIP

Operators

agoisnotemptyextendextract_alljoinifftostringgeo_info_from_ip_addressprojectorder by

Actions