IC Catching Emojis On Email Subjects

**[IC] - Catching emojis on email Subjects** | Technique ID | Title | | --- | --- | | T1566 | Phishing | | Author | Sergio Albea (17/03/2026) | | --- | --- | Marketing emails use Emojis all the time… but attackers use them too because they catch attention and increase the chance someone clicks: - ⚠️ Urgent messages - 📦 Delivery notifications - 📄 Fake invoices - 🔐 Password resets Identify and classify cases on Email Subjects can be converted in useful detections. It query identify: - Emails received with icons in the subject - Where the URL was clicked - Excluding cases where the sender is added as allowed either in the organization or user level - Summarise by number of Emails, number of distinct recipients and also identify if the messages were delivered into Inbox Folders ``` // Sergio Albea 17-03-2026 ©️ EmailEvents | where Timestamp > ago(7d) | where isnotempty(Subject) | extend Icons = extract_all(@"([\x{1F300}-\x{1FAFF}\x{2600}-\x{27BF}])", Subject) | where isnotempty(Icons) | join kind=inner UrlClickEvents on NetworkMessageId | where UserLevelPolicy !has 'Allow' | where OrgLevelPolicy !has 'Allow' | extend SenderIP = iff(isnotempty( SenderIPv4),SenderIPv4,SenderIPv6) | extend geo_ip = tostring(geo_info_from_ip_address(SenderIP).country) //| where Subject contains "⚠️" | summarize Distinct_Recipients=dcount(RecipientEmailAddress),make_set(RecipientEmailAddress),Emails=count() by Subject,SenderIP,geo_ip,ActionType, Workload, Url, ThreatTypes, LatestDeliveryLocation | order by Emails, Distinct_Recipients ```

Explanation

This query is designed to detect potentially suspicious emails that use emojis in their subject lines, which is a common tactic used in phishing attacks to grab attention. Here's a simplified breakdown of what the query does:

Time Frame: It looks at email events from the past 7 days.
Subject Filtering: It filters emails that have a non-empty subject line and extracts any emojis present in the subject.
URL Clicks: It joins this data with URL click events to find emails where a URL in the email was clicked.
Exclusion Criteria: It excludes emails from senders that are marked as 'Allowed' either at the user level or organization level.
Sender Information: It extracts the sender's IP address and determines the country of origin for the IP address.
Summary: It summarizes the data by counting the number of emails and distinct recipients for each unique combination of subject, sender IP, country, action type, workload, URL, threat types, and delivery location.
Ordering: Finally, it orders the results by the number of emails and distinct recipients.

This query helps identify and classify emails with emojis in their subjects that might be part of phishing attempts, providing insights into potential threats based on email patterns and sender information.

Details

Sergio Albea

Released: March 17, 2026

Tables

EmailEventsUrlClickEvents

Keywords

EmailEventsUrlClickEventsNetworkMessageIdUserLevelPolicyOrgLevelPolicySenderIPSenderIPv4SenderIPv6GeoInfoFromIpAddressRecipientEmailAddressActionTypeWorkloadUrlThreatTypesLatestDeliveryLocation

Operators

ago()isnotempty()extract_all()join!hasiff()tostring()geo_info_from_ip_address()summarizedcount()make_set()count()order by

KQL Search