Query Details

List the 20 most rare file extensions recieved from emails

Email Most Rare File Extensions Recieved

Query

EmailEvents
// Only display inbound emails
| where EmailDirection == 'Inbound'
// Join the email events with the attachment information, that the email must have an attachment.
| join kind=inner EmailAttachmentInfo on NetworkMessageId
// extract the file extension from the filename
| extend FileExtension = tostring(extract(@'.*\.(.*)', 1, FileName))
| where isnotempty(FileExtension)
| summarize Total = count() by FileExtension
| top 20 by Total asc

About this query

List the 20 most rare file extensions recieved from emails

Query Information

Description

This query list the 20 rarest file extentions that have been used in email attachments.

Risk

Rare file extensions may incidacte that an actor is trying trick users in opening malicious files.

Defender XDR

Sentinel

EmailEvents
// Only display inbound emails
| where EmailDirection == 'Inbound'
// Join the email events with the attachment information, that the email must have an attachment.
| join kind=inner EmailAttachmentInfo on NetworkMessageId
// extract the file extension from the filename
| extend FileExtension = tostring(extract(@'.*\.(.*)', 1, FileName))
| where isnotempty(FileExtension)
| summarize Total = count() by FileExtension
| top 20 by Total asc

Explanation

This query is designed to identify the 20 least common file extensions found in email attachments received by a system. Here's a simple breakdown of what the query does:

  1. Filter for Inbound Emails: It starts by selecting only those emails that are incoming, meaning they are received from outside the organization.

  2. Join with Attachment Information: It combines email data with attachment data to ensure that only emails with attachments are considered.

  3. Extract File Extensions: From each attachment's filename, it extracts the file extension (the part of the filename after the last dot).

  4. Filter Non-Empty Extensions: It ensures that only attachments with a file extension are included in the analysis.

  5. Count Occurrences: It counts how many times each file extension appears in the dataset.

  6. Identify Rare Extensions: Finally, it sorts these counts in ascending order and selects the top 20, which effectively gives the 20 least common file extensions.

The purpose of this query is to highlight unusual or rare file extensions in email attachments, which could be a sign of potentially malicious activity, as attackers might use uncommon file types to bypass security measures or trick users into opening harmful files.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

EmailEventsEmailAttachmentInfo

Keywords

EmailEventsAttachmentInfoFileExtensionNameNetworkMessageId

Operators

wherejoinextendtostringextractisnotemptysummarizecounttop

Actions

GitHub