Transitioning: Triage to Investigation - Campaigns

It appears that all of the phishing emails our organization received that are related to the
“infector.exe” payload came from the same sender, “amelia_lozano@wesellbeakers.com”,
let's check on that to see if we missed anything.

Key: Set time scope to 09/01/2019 -> 01/01/2022

//Query 7//
The sender "amelia_lozano@wesellbeakers.com" is the same between both phishing
campaigns that resulted in infector.exe compromise, are there any others we are missing?

tag=envolvelabs2-Email ax sender=="amelia_lozano@wesellbeakers.com"
| sort by time asc
| table

//Query 8//
Lets use our query fu to get a better of idea of the breakdown of campaigns

tag=envolvelabs2-Email ax sender=="amelia_lozano@wesellbeakers.com"
| count by subject link
| table subject link count

TOP