Query Details
Email Most Rare File Extensions Recieved
Query
# List the 20 most rare file extensions recieved from emails ## Query Information #### Description This query list the 20 rarest file extentions that have been used in email attachments. #### Risk Rare file extensions may incidacte that an actor is trying trick users in opening malicious files. ## Defender For Endpoint ``` EmailEvents // Only display inbound emails | where EmailDirection == 'Inbound' // Join the email events with the attachment information, that the email must have an attachment. | join kind=inner EmailAttachmentInfo on NetworkMessageId // extract the file extension from the filename | extend FileExtension = tostring(extract(@'.*\.(.*)', 1, FileName)) | where isnotempty(FileExtension) | summarize Total = count() by FileExtension | top 20 by Total asc ``` ## Sentinel ``` EmailEvents // Only display inbound emails | where EmailDirection == 'Inbound' // Join the email events with the attachment information, that the email must have an attachment. | join kind=inner EmailAttachmentInfo on NetworkMessageId // extract the file extension from the filename | extend FileExtension = tostring(extract(@'.*\.(.*)', 1, FileName)) | where isnotempty(FileExtension) | summarize Total = count() by FileExtension | top 20 by Total asc ```
Explanation
The query lists the 20 rarest file extensions found in email attachments. This information is important because rare file extensions may indicate that someone is trying to trick users into opening malicious files. The query filters for inbound emails and joins the email events with attachment information. It then extracts the file extension from the filename, counts the occurrences of each file extension, and displays the top 20 rarest file extensions.
Details
Bert-Jan Pals
Released: February 14, 2023
Tables
EmailEventsEmailAttachmentInfo
Keywords
EmailEvents,EmailDirection,EmailAttachmentInfo,NetworkMessageId,FileName,FileExtension,Total
Operators
|wherejoinextendtostringextractisnotemptysummarizetop