Query Details

Detect Last Pass Hack Emails Attempts To Trick Users Into Installing Malware

Query

let Email_Zips = EmailAttachmentInfo | where FileType has "zip" | project FileName;
DeviceFileEvents
| extend FileOriginReferrerUrl_ext = extract(@"[^\\]+$", 0, FileOriginReferrerUrl)
| where isnotempty( FileOriginReferrerUrl)
| join kind=inner ( DeviceEvents) on $left.InitiatingProcessUniqueId == $right.InitiatingProcessUniqueId
| extend FileExtension = extract(@"\.([a-zA-Z0-9]+)$", 1, FileName)
| extend Source_Type = case(FileOriginReferrerUrl startswith "https://", "๐ŸŒŽ Web","๐Ÿ“‚ File")
| join kind=inner (Email_Zips) on $left.FileOriginReferrerUrl_ext == $right.FileName
| where FileName endswith ".msi"
| summarize total_Files= dcount(FileName), Files_after_execution= strcat("๐Ÿ—‚๏ธ ",make_set(FileName)),make_set(FileExtension),make_set(ActionType),make_set(FolderPath),SHA256_Group=make_set(SHA2561) by InitiatingProcessUniqueId,AccountUpn = strcat("๐Ÿ‘ฉ๐Ÿป๐Ÿ’ป๐Ÿง‘๐Ÿพ๐Ÿ’ป",InitiatingProcessAccountUpn), Device = strcat("๐Ÿ’ป ",DeviceName), FileOriginReferrerUrl,Source_Type, OriginalFile=strcat("๐Ÿšฉ ",FileOriginReferrerUrl_ext), ReportId, Timestamp, DeviceId```

About this query

Explanation

This KQL query is designed to detect phishing attempts that involve emails with ZIP file attachments containing MSI files, which are used to install malware. Here's a simplified explanation of what the query does:

  1. Identify ZIP Attachments: The query starts by identifying email attachments that are ZIP files. It extracts the file names of these ZIP attachments for further analysis.

  2. Track File Events: It then looks at device file events to find instances where files originating from these ZIP attachments are executed. This is done by matching the file origin URL with the file names of the ZIP attachments.

  3. Filter for MSI Files: The query specifically filters for MSI files, which are often used as installers. This is because the phishing emails in question use MSI files to disguise malware.

  4. Join with Email Data: By joining the file events with the email attachment data, the query correlates the execution of MSI files with the original ZIP attachments from emails.

  5. Summarize and Report: Finally, the query summarizes the results, providing details such as the number of files executed, file extensions, actions taken, file paths, and SHA256 hashes. It also includes information about the user account, device, and the original file name.

Overall, this query helps detect and report on phishing attempts that use ZIP attachments with MSI files to deliver malware, focusing on the behavior (Indicator of Attack, IOA) rather than specific file names (Indicator of Compromise, IOC), which can easily be changed by attackers.

Details

Sergio Albea profile picture

Sergio Albea

Released: October 16, 2025

Tables

EmailAttachmentInfoDeviceFileEventsDeviceEvents

Keywords

EmailAttachmentDeviceFileEventsNameOriginReferrerUrlExtensionSourceTypeActionFolderPathSHA256AccountUpnReportIdTimestamp

Operators

let|wherehasprojectextendextractisnotemptyjoinon==casestartswithendswithsummarizedcountstrcatmake_setby

Actions

GitHub