Query Details
Malicious QR Code File Attachment Found
Query
EmailAttachmentInfo
| where FileType in~ ("png", "jpg", "svg", "eps")
| where isempty( SenderObjectId)
| where FileName matches regex "^[A-Z]{4,}\\.[A-Za-z0-9]+$"
| where FileSize >= 300 and FileSize <= 1000Explanation
This query is looking for email attachments that are image files (png, jpg, svg, eps), have no sender information, have a specific file name format (four or more uppercase letters followed by a dot and alphanumeric characters), and have a file size between 300 and 1000 bytes.
Details
H1dd3n00b
Released: June 7, 2024
Tables
EmailAttachmentInfo
Keywords
EmailAttachmentInfo,FileType,SenderObjectId,FileName,FileSize
Operators
wherein~isemptymatches regex>=<=