Netskope - Multi-User Phishing Campaign Detection
42 NK Multi User Phishing Campaign
Query
let _NetskopeEmpty = datatable(TimeGenerated:datetime, action_s:string, category_s:string, severity_s:string, malware_name_s:string, malware_type_s:string, threat_name_s:string, user_s:string, domain_s:string, dstip_s:string, srcip_s:string, bytes_uploaded_d:real, bytes_downloaded_d:real, app_s:string, url_s:string, dlp_rule_s:string, dlp_profile_s:string, activity_s:string, file_type_s:string, object_s:string)[];
let PhishingCategories = dynamic([
"Phishing", "Phishing and Other Frauds", "Newly Observed Domain",
"Newly Registered Domain", "Suspicious", "Malware"]);
union isfuzzy=true _NetskopeEmpty, NetskopeWebTx_CL
| where TimeGenerated > ago(1d)
| where category_s in (PhishingCategories)
or severity_s in ("high", "critical")
| where isnotempty(user_s) and isnotempty(domain_s)
| summarize
UniqueUsers = dcount(user_s),
UserList = make_set(user_s, 30),
TotalRequests = count(),
Blocked = countif(action_s in ("block", "Block", "blocked", "Blocked")),
Allowed = countif(action_s !in ("block", "Block", "blocked", "Blocked")),
Categories = make_set(category_s, 5),
URLSamples = make_set(url_s, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by domain_s
| where UniqueUsers >= 3
| extend CampaignDuration = datetime_diff('minute', LastSeen, FirstSeen)
| order by UniqueUsers desc, TotalRequests descExplanation
This query is designed to detect phishing campaigns targeting multiple users within a short time frame. It focuses on identifying situations where several users access the same suspicious or newly registered domain, which could indicate an active phishing attempt. Here's a simplified breakdown of the query:
-
Purpose: The query aims to identify phishing campaigns by tracking multiple users accessing the same potentially harmful domain.
-
Data Source: It uses data from Netskope Web Transactions, specifically looking at blocked and allowed requests to domains categorized as phishing or suspicious.
-
Time Frame: The query examines data from the past day (24 hours) and runs every 15 minutes.
-
Criteria:
- It looks for domains that have been accessed by at least three unique users.
- The domains should be categorized under phishing, newly observed or registered domains, or other suspicious categories.
- It considers both blocked and allowed requests, focusing on high or critical severity levels.
-
Output:
- The query summarizes the number of unique users, total requests, and categorizes them into blocked and allowed actions.
- It also captures the first and last time the domain was accessed, calculating the duration of the campaign.
-
Alerting:
- If the criteria are met, an alert is generated with details about the domain and the number of users involved.
- The alert includes a custom display name and description, highlighting the number of users and allowed requests.
-
Incident Management:
- An incident is created for each detected campaign, with options for grouping related alerts based on the domain.
Overall, this query helps security teams quickly identify and respond to phishing campaigns by correlating user access patterns to suspicious domains.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT15M
Period: P1D