Gravwell is an enterprise data fusion platform that enables security teams to investigate, collaborate, and analyze data from any source, on demand, all with unlimited data collection and retention. Ingest everything. Investigate anything.
It appears that all of the phishing emails our organization received that are related to the
“infector.exe” payload came from the same sender, “amelia_lozano@wesellbeakers.com”,
let's check on that to see if we missed anything.
Key: Set time scope to 09/01/2019 -> 01/01/2022
//Query 7//
The sender "amelia_lozano@wesellbeakers.com" is the same between both phishing
campaigns that resulted in infector.exe compromise, are there any others we are missing?
tag=envolvelabs2-Email ax sender=="amelia_lozano@wesellbeakers.com"
| sort by time asc
| table
//Query 8//
Lets use our query fu to get a better of idea of the breakdown of campaigns
tag=envolvelabs2-Email ax sender=="amelia_lozano@wesellbeakers.com"
| count by subject link
| table subject link count