Emails with randomly named attachments from the same sender to multiple recipients indicate potential phishing or malware distribution efforts, as adversaries often use unpredictable filenames to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate targeted campaigns that may bypass traditional email security controls.
KQL Query
EmailAttachmentInfo
| where Timestamp > ago(7d)
| where FileType in ("png", "jpg", "jpeg", "gif", "svg")
| where isnotempty(FileName)
| extend firstFourFileName = substring(FileName, 0, 4)
| summarize RecipientsCount = dcount(RecipientEmailAddress), FirstFourFilesCount = dcount(firstFourFileName), suspiciousEmails = make_set(NetworkMessageId, 10) by SenderFromAddress
| where FirstFourFilesCount >= 10
id: 25150085-015a-4673-9b67-bc6ad9475500
name: Campaign with randomly named attachments
description: |
In this detection,we hunt for emails with randomly named attachment names from the same sender to multiple recipients
description-detailed: |
In this detection,we hunt for emails with randomly named attachment names from the same sender to multiple recipients using Defender for Office 365 data, typically more than 50, can potentially indicate a QR code phishing campaign.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailAttachmentInfo
| where Timestamp > ago(7d)
| where FileType in ("png", "jpg", "jpeg", "gif", "svg")
| where isnotempty(FileName)
| extend firstFourFileName = substring(FileName, 0, 4)
| summarize RecipientsCount = dcount(RecipientEmailAddress), FirstFourFilesCount = dcount(firstFourFileName), suspiciousEmails = make_set(NetworkMessageId, 10) by SenderFromAddress
| where FirstFourFilesCount >= 10
version: 1.0.0 | Sentinel Table | Notes |
|---|---|
EmailAttachmentInfo | Ensure this data connector is enabled |
Scenario: A system administrator sends out a scheduled backup job report with randomly named attachments (e.g., backup_123456789.tar.gz, backup_987654321.zip) to multiple teams for review.
Filter/Exclusion: Exclude attachments sent from the admin account (user_id = "admin_user") or filter by known backup job names using a regex pattern.
Scenario: A DevOps team uses a CI/CD pipeline to deploy code, and the pipeline generates temporary files with random names (e.g., artifact_123456789.jar, build_987654321.zip) and emails them to developers.
Filter/Exclusion: Exclude emails sent from the CI/CD service account (user_id = "ci_cd_service") or filter by known deployment-related file patterns.
Scenario: A marketing team uses a third-party email tool (e.g., Mailchimp) to send personalized campaign emails with dynamically generated attachment names (e.g., report_user12345.pdf, survey_user98765.xlsx) to multiple recipients.
Filter/Exclusion: Exclude emails from the marketing tool’s sender domain (e.g., sender_domain = "mailchimp.com") or filter by known marketing campaign file types.
Scenario: A finance team uses a script to generate and email monthly reports with random filenames (e.g., report_20231001_123456.xlsx, summary_20231001_987654.xlsx) to multiple stakeholders.
Filter/Exclusion: Exclude emails sent from the finance team’s script account (user_id = "finance_script") or filter by known report naming conventions.
Scenario: A