Zscaler ZIA - Multi-User Phishing Campaign - Same Domain Hit by 3+ Users in 1 Hour
27 CSL Zscaler Multi User Phishing Campaign
Query
CommonSecurityLog
| where TimeGenerated > ago(1h)
| where DeviceVendor == "Zscaler"
| where isnotempty(DestinationHostName) and isnotempty(SourceUserName)
| where DeviceCustomString2 has_any (
"PHISHING", "ADVANCED_SECURITY_RISK", "BOTNET_SITES",
"MALWARE_SITES", "SUSPICIOUS_DESTINATIONS", "MALICIOUS_LINKS")
| summarize
UserCount = dcount(SourceUserName),
Users = make_set(SourceUserName, 20),
Actions = make_set(DeviceAction, 5),
URLSamples = make_set(RequestURL, 5),
Category = any(DeviceCustomString2),
FirstHit = min(TimeGenerated),
LastHit = max(TimeGenerated),
RepURL = any(DestinationHostName)
by DestinationHostName
| where UserCount >= 3
| order by UserCount descExplanation
This query is designed to detect potential phishing campaigns by identifying when three or more distinct users access the same suspicious domain within a one-hour period. It uses data from Zscaler ZIA, a security service, to classify domains as phishing, high-risk, botnet, or malware-related. Here's a simple breakdown of what the query does:
-
Data Source: It examines security logs from Zscaler, focusing on events from the past hour.
-
Filtering Criteria: The query looks for logs where:
- The domain accessed is classified as phishing, high-risk, botnet, or malware.
- There is a valid domain name and user information.
-
Analysis: It counts the number of unique users accessing each domain and gathers details like user names, actions taken, sample URLs, and the time of first and last access.
-
Alert Condition: If three or more users have accessed the same domain within the hour, it flags this as suspicious.
-
Output: The results are sorted by the number of users, and an alert is generated with details about the domain and the number of users involved.
-
Incident Management: If an alert is triggered, an incident is created. The system groups related alerts by URL to manage them efficiently.
This query helps identify and respond to potential phishing attacks by highlighting unusual access patterns to risky domains.
Details

David Alonso
Released: March 2, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT1H
Period: PT1H