It appears that all of the phishing emails our organization received that are related to the“infector.exe” payload came from the same sender, “email@example.com”,let's check on that to see if we missed anything.
Key: Set time scope to 09/01/2019 -> 01/01/2022
//Query 7//The sender "firstname.lastname@example.org" is the same between both phishingcampaigns that resulted in infector.exe compromise, are there any others we are missing?
tag=envolvelabs2-Email ax sender=="email@example.com"| sort by time asc| table
//Query 8//Lets use our query fu to get a better of idea of the breakdown of campaigns
tag=envolvelabs2-Email ax sender=="firstname.lastname@example.org"| count by subject link| table subject link count