ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
EmailEvents • Crypto Phishing • Wallet Approval Scam • Microsoft Defender KQL

“We Won $7,146,325.16…” — The Crypto Scam That Didn’t Need Your Password

The email looked exciting. The message felt urgent. The reward looked real.

But none of it made sense.

This Agent Foskett briefing breaks down a modern crypto phishing attack where the attacker did not try to break in — they tried to convince the user to willingly hand over access.

No password theft. No exploit. Just a well-crafted story designed to trigger action before the victim stopped to think.

Discuss your environment Back to briefings
Agent Foskett crypto scam email wallet approval Microsoft Defender KQL investigation by GEMXIT
Briefing summary

A practical Microsoft Defender investigation into crypto reward phishing, wallet connection instructions, suspicious URLs, external support channels and the psychology behind “proceed anyway” scams.

Detect crypto reward and airdrop themes
Pivot from EmailEvents into EmailUrlInfo
Teach users when the story does not make sense
☕ The message
“Apparently, GEMXIT just won $7,146,325.16…”

“…from a crypto reward system we never joined.”

Righto then.

The amount was huge, the instructions were urgent, and the email tried to make the recipient act before thinking.
Book an email security review →

What the attacker included

This scam was not sophisticated because it looked perfect. It was effective because it combined pressure, reward, personalisation and risky instructions in one message.
A massive dollar amountA fake reward large enough to override normal caution and create curiosity.
UrgencyThe message pushed fast action rather than careful verification.
PersonalisationThe recipient email address was included to make the message feel specific and legitimate.
Wallet instructionsThe goal was not to steal a password. The goal was to get the user to connect and approve.
WhatsApp supportMoving victims into external channels reduces visibility for business security controls.
“Proceed anyway”A phrase that should immediately trigger caution, not compliance.

What was actually happening

The attacker did not need malware if they could make the user complete the dangerous action voluntarily.
No password requiredThe email did not need the victim to type a Microsoft 365 password. It tried to move the victim into a separate approval flow.
Connect the walletThe wallet connection step creates the feeling of a normal claim process while hiding the real risk.
Approve accessApprovals can be more dangerous than credentials when the user does not understand what they are granting.
Enter a payment codeCodes and instructions make the scam feel procedural, like the victim is completing an official workflow.
Leave business systemsExternal chat, external websites and unfamiliar portals reduce auditability and increase risk.
Act before thinkingThe real exploit is psychological: reward, pressure and confusion working together.

What we would look for in Microsoft Defender

Start with email subject patterns that commonly appear in crypto reward, airdrop and fake payment scams.
crypto-scam-email-patterns.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
EmailEvents
| where Timestamp > ago(30d)
| where Subject has_any ("PENDING PAYMENT", "UNCLAIMED REWARDS", "Airdrop", "Reward", "Claim")
| project
    Timestamp,
    SenderFromAddress,
    SenderFromDomain,
    RecipientEmailAddress,
    Subject,
    DeliveryAction,
    ThreatTypes
Used forFinding suspicious email themes related to crypto rewards, fake payments and airdrop claims.
What to checkReview sender domain, subject wording, recipient targeting, delivery action and threat classification.
Agent Foskett tipA scam does not need to be technically advanced to be dangerous. It only needs one user to believe the story.
How to read this query
Do not stop at the subject line. Check whether the message was delivered, who received it, whether similar subjects hit multiple users, and whether the sender domain appears elsewhere in the environment.
Open EmailEvents guide →

Then pivot into URLs

If the email was delivered, the next question is whether it contained wallet, claim, airdrop, crypto or external support links.
crypto-wallet-url-analysis.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
EmailUrlInfo
| where Timestamp > ago(30d)
| where Url has_any ("wallet", "claim", "airdrop", "crypto", "whatsapp")
| project
    Timestamp,
    NetworkMessageId,
    Url
Used forFinding wallet, crypto, claim and WhatsApp-style URLs associated with suspicious emails.
Why it mattersThe link is often where the real attack begins. The email is only the delivery vehicle.
Best next stepJoin URL results back to EmailEvents using NetworkMessageId, then review recipients and delivery outcome.

Query: connect suspicious emails to URLs

Use NetworkMessageId to connect the email event with the URLs found in the message.
crypto-scam-email-url-pivot.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
EmailEvents
| where Timestamp > ago(30d)
| where Subject has_any ("PENDING PAYMENT", "UNCLAIMED REWARDS", "Airdrop", "Reward", "Claim")
| project Timestamp, NetworkMessageId, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction
| join kind=leftouter (
    EmailUrlInfo
    | where Timestamp > ago(30d)
    | where Url has_any ("wallet", "claim", "airdrop", "crypto", "whatsapp")
    | project NetworkMessageId, Url
) on NetworkMessageId
| order by Timestamp desc
How to read this query
This query connects the story to the action. If a suspicious reward email was delivered and it contains wallet or claim URLs, the investigation should move from “Was it spam?” to “Who received it, who clicked, and what happened next?”
Review click investigation →

Why this attack works

This is not only an email security issue. It is a human decision-making issue.
CuriosityThe recipient wants to know whether the claim might be real.
GreedA large reward can short-circuit normal suspicion.
UrgencyTime pressure makes verification feel like a delay.
ConfusionCrypto terms, codes and wallet prompts make the process feel technical and official.
External supportWhatsApp and external contacts move the victim away from normal business oversight.
Permission abuseThe attacker may not need to steal access if they can persuade the user to grant it.
🧠 Agent Foskett’s rule
If an email says:

“Proceed anyway”

That is usually your sign to do the exact opposite.

Security is not just about blocking malware. It is teaching people to recognise when the story does not make sense.
Discuss security awareness →

Investigation checklist

Use this checklist when an email asks users to claim money, connect wallets, approve access or move to external support channels.
Review deliveryWas the message blocked, junked, quarantined or delivered?

Review delivered failures →
Review sender trustDoes the sender domain align with the claimed organisation?

Review sender alignment →
Review user actionWere links clicked, instructions followed or external conversations started?

Review click investigation →

Related investigations

This page is part of the wider Agent Foskett Microsoft Defender and email investigation path.
EmailEvents KQL guideUnderstand sender fields, AuthenticationDetails, delivery actions and investigation pivots.

Open EmailEvents guide →
Email spoofing with KQLInvestigate spoofing indicators, sender mismatch, AuthenticationDetails and suspicious delivery outcomes.

Open spoofing guide →
KQL threat hunting guideConnect email, identity, endpoint, cloud activity and user behaviour into one investigation workflow.

Open KQL hub →
Need help reviewing Microsoft 365 email risk?
GEMXIT helps organisations investigate Microsoft Defender EmailEvents, suspicious URLs, sender authentication, DMARC alignment, phishing behaviour and practical user risk.
Book an Email Security Review →
ACSC Logo

GEMXIT PTY LTD  |  GEMXIT UK LTD  |  © GEMXIT 2026





Crypto scam email wallet approval Microsoft Defender KQL

Agent Foskett briefing covering crypto reward scam email investigation, wallet phishing, airdrop scams, suspicious URLs, EmailEvents, EmailUrlInfo and Microsoft Defender KQL investigation workflows.

Detect wallet phishing and crypto reward scams

This page targets practical searches for crypto scam email, wallet approval phishing, airdrop scam email, proceed anyway phishing, fake crypto rewards, EmailEvents KQL and Microsoft Defender email investigation.

GEMXIT Microsoft Security Operations

GEMXIT uses Microsoft Defender, Microsoft Sentinel and Entra ID to support practical security operations, KQL threat hunting, email security reviews and Microsoft 365 security assessments.