Executable Fileattachment recieved
Email Executable File Recieved
Query
let ExecutableFileExtentions = dynamic(['bat', 'cmd', 'com', 'cpl', 'dll', 'ex', 'exe', 'jse', 'lnk','msc', 'ps1', 'reg', 'vb', 'vbe', 'ws', 'wsf']);
EmailEvents
// Only display inbound emails
| where EmailDirection == 'Inbound'
// Join the email events with the attachment information, that the email must have an attachment.
| join kind=inner EmailAttachmentInfo on NetworkMessageId
// extract the file extension from the filename
| extend FileExtension = tostring(extract(@'.*\.(.*)', 1, FileName))
| where isnotempty(FileExtension)
// Filter on executable file extensions
| where FileExtension in~ (ExecutableFileExtentions)
| summarize ['Target Mailboxes'] = make_set(RecipientEmailAddress), ['Sender Addresses'] = make_set(SenderFromAddress), ['Email Subject'] = make_set(Subject) by SHA256, FileNameAbout this query
Explanation
This query is designed to detect potentially malicious emails that contain executable file attachments, which could be used by attackers to gain unauthorized access to a system. Here's a simple breakdown of what the query does:
-
Executable File Extensions: It defines a list of file extensions that are considered executable on Windows systems, such as
.exe,.bat,.cmd, etc. -
Email Filtering: The query focuses on inbound emails, meaning emails that are received by the system.
-
Attachment Check: It checks if these inbound emails have attachments.
-
File Extension Extraction: For each attachment, it extracts the file extension from the filename.
-
Executable File Detection: It filters the attachments to only include those with extensions that match the predefined list of executable file extensions.
-
Summary of Findings: The query summarizes the results by listing the target mailboxes (recipients), sender addresses, and email subjects for each detected executable file attachment, identified by its SHA256 hash and filename.
This query helps in identifying emails that might be part of a phishing attack using malicious attachments, allowing security teams to take appropriate action to protect their systems.
