Query Details
IC Catching Emojis Into File Names
Query
**[IC] - Catching Emojis into File Names**
| Technique ID | Title |
| --- | --- |
| T1036 | Masquerading |
| Author | Sergio Albea (16/03/2026) |
| --- | --- |
[IC] - Catching Emojis into File Names
Attackers do not only use emojis in the subject. Sometimes they also use them in the file name itself to make the file look more attractive or legitimate. Based on my experience, I am not expecting legitimate files names with icons so it can be an interesting case to easily convert the hunting into a detection. For example:
- 📄Invoice.pdf
- 🔐Reset_Password.html
- 📦Delivery_Document.zip
This can help find:
- Suspicious files dropped on disk
- Files downloaded from phishing emails
- User-downloaded scam files
- Payloads with social engineering names
```
// Sergio Albea 16-03-2026 ©️
DeviceFileEvents
| where Timestamp > ago(7d)
| where isnotempty(FileName)
| extend Icons = extract_all(@"([\x{1F300}-\x{1FAFF}\x{2600}-\x{27BF}])", FileName)
| where isnotempty(Icons)
| project InitiatingProcessRemoteSessionIP,MD5,DeviceName,FileName,FolderPath,InitiatingProcessFileName,Icons,ReportId,DeviceId
```
Explanation
This query is designed to detect potentially suspicious files on a device by identifying file names that contain emojis. Here's a simple breakdown of what the query does:
-
Data Source: It looks at
DeviceFileEvents, which records events related to files on a device. -
Time Frame: It filters for events that have occurred in the last 7 days (
Timestamp > ago(7d)). -
File Name Check: It ensures that the file name is not empty (
isnotempty(FileName)). -
Emoji Extraction: It uses a regular expression to extract emojis from the file names. Emojis are represented by specific Unicode ranges, and the query captures any emojis present in the file name (
extract_all(@"([\x{1F300}-\x{1FAFF}\x{2600}-\x{27BF}])", FileName)). -
Filter for Emojis: It filters further to only include files that actually have emojis in their names (
isnotempty(Icons)). -
Output: It selects and displays specific details about these files, such as the IP address of the initiating process, the MD5 hash of the file, the device name, the file name, the folder path, the name of the initiating process, the extracted emojis, the report ID, and the device ID.
The purpose of this query is to identify files that might be masquerading as legitimate by using emojis in their names, which is a tactic sometimes used in phishing or social engineering attacks. By detecting such files, security teams can investigate further to determine if they are part of a malicious activity.
Details
Sergio Albea
Released: March 17, 2026
Tables
Keywords
Operators