Transitioning: Triage to Investigation - Campaigns

It appears that all of the phishing emails our organization received that are related to the
“infector.exe” payload came from the same sender, “”,
let's check on that to see if we missed anything.

Key: Set time scope to 09/01/2019 -> 01/01/2022

//Query 7//
The sender "" is the same between both phishing
campaigns that resulted in infector.exe compromise, are there any others we are missing?

tag=envolvelabs2-Email ax sender==""
| sort by time asc
| table

//Query 8//
Lets use our query fu to get a better of idea of the breakdown of campaigns

tag=envolvelabs2-Email ax sender==""
| count by subject link
| table subject link count