Part 6: Finding The Victims - Video 7

Let's use some of our newly learned query skills, and introduce some complimentary new ones, to see if we can catch a phish!

Query 12:
Ensure recipients are only counted once as we want to answer how many different recipients received messages from a each sender_domain

tag=envolvelabs-Email ax recipient ~ "envolvelabs.com" sender
!~ "envolvelabs.com"
| fields -e sender -d "@" [ 1 ] as sender_domain
| unique sender_domain recipient
| count by sender_domain
| sort by count desc
| eval count

Query 13:
Use a partial match of the url field to find entries with our domain of interest

tag=envolvelabs-OutboundBrowsing ax url ~ "illness.med";
| table

Query 14:
Extract the domain out of a url and search for a particular pattern within the new enumerated field

tag=envolvelabs-OutboundBrowsing ax
| regex -e url "(?P^(?:https?:\/\/)?(?:[^@\/\n]+@)?(?:www\.)?([^:\/\n]+))"
| grep -e domain "illness.med";
| table

Query 15:
Adding a filter to see only users that issued an HTTP POST request

tag=envolvelabs-OutboundBrowsing ax method == "POST"
| regex -e url "(?P^(?:https?:\/\/)?(?:[^@\/\n]+@)?(?:www\.)?([^:\/\n]+))"
| grep -e domain "illness.med";
| table

TOP