Query Details

ASR Executable Content triggered

Email ASR Executable Content Triggered

Query

DeviceEvents
| where ActionType in ("AsrExecutableEmailContentBlocked", "AsrExecutableEmailContentAudited")
// join the information from the email attachment
| join kind=inner (EmailAttachmentInfo
     | project NetworkMessageId, FileName, SHA256, FileSize)
     on $left.FileName == $right.FileName
// join the email information     
| join kind=inner (EmailEvents
     | project SenderFromAddress, Subject, NetworkMessageId)
     on $left.NetworkMessageId == $right.NetworkMessageId
| project-reorder SenderFromAddress, Subject, FileName, FileSize, SHA256

About this query

Explanation

This query is designed to detect and analyze instances where potentially harmful executable content is triggered from emails. It focuses on identifying and blocking executable and script files that are launched from emails opened in Microsoft Outlook or other webmail services. Here's a simple breakdown of what the query does:

  1. Purpose: The query aims to identify emails containing executable files (like .exe, .dll, .scr) or script files (like .ps1, .vbs, .js) that have been blocked or audited by the Attack Surface Reduction (ASR) rules. These files could be used by attackers to gain unauthorized access to a system.

  2. Data Sources:

    • DeviceEvents: Logs events related to device activities, specifically looking for actions where executable content from emails is either blocked or audited.
    • EmailAttachmentInfo: Provides details about the email attachments, such as file names, sizes, and their SHA256 hashes.
    • EmailEvents: Contains information about the emails themselves, including the sender's address and the email subject.
  3. Process:

    • The query first filters for events where executable content from emails is either blocked or audited.
    • It then joins this data with information about the email attachments to get details like the file name, size, and hash.
    • Another join is performed with email event data to retrieve the sender's address and the email subject.
    • Finally, the query organizes the results to show the sender's address, email subject, file name, file size, and file hash.
  4. Outcome: By running this query, security teams can identify potentially malicious emails and their sources, allowing them to take action, such as blocking the sender or investigating further to prevent unauthorized access.

Overall, this query helps in detecting phishing attempts that involve malicious attachments, thereby enhancing email security.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceEventsEmailAttachmentInfoEmailEvents

Keywords

DeviceEventsEmailAttachmentInfoEmailEvents

Operators

whereinjoinkind=innerprojectonproject-reorder

MITRE Techniques

Actions

GitHub