KQL Search

This KQL (Kusto Query Language) query is designed to detect potential zero-day attacks involving corrupt file attachments in incoming emails. Here's a simple breakdown of what the query does:

1. Data Source: It starts by looking at the EmailAttachmentInfo table, which contains information about email attachments.

2. Time Filter: It filters the data to only include email attachments that have been received in the last hour (Timestamp > ago(1h)).

3. File Type Filter: It specifically looks for attachments with filenames ending in ".docx", which are typically Microsoft Word documents.

4. Suspicious File Type: It further filters these attachments to identify those where the file type is either "zip" or "unknown". This is suspicious because a ".docx" file should not be of type "zip" or "unknown".

5. Join with Email Events: The query joins this filtered attachment data with the EmailEvents table using the NetworkMessageId to correlate attachment information with email events.

6. Inbound Emails: It focuses only on inbound emails (EmailDirection == "Inbound"), meaning emails that are received from outside the organization.

7. Delivery Status: Finally, it checks that these emails were actually delivered (DeliveryAction == "Delivered"), indicating that the potentially malicious attachment reached the recipient.

In summary, this query is designed to identify potentially malicious email attachments that could be part of a zero-day attack by looking for unusual characteristics in recently received emails.