Query Details
Detect Last Pass Hack Emails Attempts To Trick Users Into Installing Malware
Query
**Detect LastPass Hack Emails attempts to trick users into installing Malware**
**Description**: CyberSecurityNews has reported a raising case about a new wave of phishing emails masquerading as breach notifications from LastPass.
To summarise, these emails claim that the recipient’s account has been compromised and urge them to download a “security patch” to restore access.
In reality, the attached file is a sophisticated malware loader built to steal credentials and deploy additional malicious payloads onto the victim’s system.
Each phishing message includes a ZIP attachment named 'LastPass_Security_Update' that contains an executable disguised as an MSI installer. When executed, the fake MSI installs a PowerShell script into the user’s AppData folder and schedules it to run via a scheduled task. The script then contacts a remote command-and-control server to download a second-stage payload capable of keylogging, taking screenshots, and moving laterally within corporate networks.
This following KQL Query is based on the IOA where the emails arrive with a .zip file attached and it content is a msi file. Using IOA instead the IOC (LastPass_Security_Update .zip) is more feasible because the malicious actors could easily change the zip name and the detection would not detect the mentioned threat.
```
let Email_Zips = EmailAttachmentInfo | where FileType has "zip" | project FileName;
DeviceFileEvents
| extend FileOriginReferrerUrl_ext = extract(@"[^\\]+$", 0, FileOriginReferrerUrl)
| where isnotempty( FileOriginReferrerUrl)
| join kind=inner ( DeviceEvents) on $left.InitiatingProcessUniqueId == $right.InitiatingProcessUniqueId
| extend FileExtension = extract(@"\.([a-zA-Z0-9]+)$", 1, FileName)
| extend Source_Type = case(FileOriginReferrerUrl startswith "https://", "🌎 Web","📂 File")
| join kind=inner (Email_Zips) on $left.FileOriginReferrerUrl_ext == $right.FileName
| where FileName endswith ".msi"
| summarize total_Files= dcount(FileName), Files_after_execution= strcat("🗂️ ",make_set(FileName)),make_set(FileExtension),make_set(ActionType),make_set(FolderPath),SHA256_Group=make_set(SHA2561) by InitiatingProcessUniqueId,AccountUpn = strcat("👩🏻💻🧑🏾💻",InitiatingProcessAccountUpn), Device = strcat("💻 ",DeviceName), FileOriginReferrerUrl,Source_Type, OriginalFile=strcat("🚩 ",FileOriginReferrerUrl_ext), ReportId, Timestamp, DeviceId```
Explanation
This KQL query is designed to detect phishing attempts that involve emails with ZIP file attachments containing MSI files, which are used to install malware. Here's a simplified explanation of what the query does:
-
Identify ZIP Attachments: The query starts by identifying email attachments that are ZIP files. It extracts the file names of these ZIP attachments for further analysis.
-
Track File Events: It then looks at device file events to find instances where files originating from these ZIP attachments are executed. This is done by matching the file origin URL with the file names of the ZIP attachments.
-
Filter for MSI Files: The query specifically filters for MSI files, which are often used as installers. This is because the phishing emails in question use MSI files to disguise malware.
-
Join with Email Data: By joining the file events with the email attachment data, the query correlates the execution of MSI files with the original ZIP attachments from emails.
-
Summarize and Report: Finally, the query summarizes the results, providing details such as the number of files executed, file extensions, actions taken, file paths, and SHA256 hashes. It also includes information about the user account, device, and the original file name.
Overall, this query helps detect and report on phishing attempts that use ZIP attachments with MSI files to deliver malware, focusing on the behavior (Indicator of Attack, IOA) rather than specific file names (Indicator of Compromise, IOC), which can easily be changed by attackers.
Details
Sergio Albea
Released: October 16, 2025
Tables
Keywords
Operators