KQL Search

Query Details

HomeAI ToolsDevice Query

Query

// 𝗧𝗵𝗲 𝗛𝘂𝗻𝘁 𝗳𝗼𝗿 𝗕𝗹𝗼𝗯 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗠𝗮𝗶𝗹 𝗗𝗼𝗺𝗮𝗶𝗻

// In some phishing kit, the attacker generated the landing page in a blob to remain stealthy and all of these emails usually passes the SPF/DKIM/DMNARC/CompAuth. However the blob URL has a URL detonation reputation. Using the below KQL to reverse find all the malicious mail domains that are sending blob phishing URLs and block these mail domains at the Tenant Block List.

EmailUrlInfo
| where TimeGenerated > ago(90d)
| where Url contains "web.core.windows.net/"
| join EmailEvents on NetworkMessageId
| where EmailDirection == "Inbound"
| where DeliveryAction == "Blocked"
| summarize Count=count() by SenderFromDomain
| sort by Count desc

Explanation

This KQL query is designed to identify and block malicious email domains that are sending phishing emails with URLs hosted on Azure Blob Storage. Here's a simple breakdown of what the query does:

  1. Data Source: It starts by looking at the EmailUrlInfo table, which contains information about URLs found in emails.

  2. Time Filter: It filters the data to include only records from the last 90 days.

  3. URL Filter: It specifically looks for URLs that contain "web.core.windows.net/", which is indicative of Azure Blob Storage URLs. These URLs are often used in phishing attacks to host malicious landing pages.

  4. Join Operation: The query joins this data with the EmailEvents table using the NetworkMessageId to correlate URL information with specific email events.

  5. Inbound Emails: It filters for emails that are incoming ("Inbound").

  6. Blocked Emails: It further filters for emails that have been blocked by the email system.

  7. Summarization: It counts the number of blocked emails for each sender domain (SenderFromDomain).

  8. Sorting: Finally, it sorts the results in descending order based on the count, showing the domains sending the most blocked phishing emails at the top.

The purpose of this query is to help identify and block domains that are frequently sending phishing emails with malicious URLs hosted on Azure Blob Storage, enhancing email security by adding these domains to a Tenant Block List.

Details

Steven Lim profile picture

Steven Lim

Released: October 14, 2024

Tables

EmailUrlInfoEmailEvents

Keywords

EmailUrlInfoTimeGeneratedUrlNetworkMessageIdEmailEventsEmailDirectionDeliveryActionSenderFromDomainCount

Operators

ago()contains()joinonwheresummarizecount()bysortdesc

Actions