KQL Search

Query Details

HomeAI ToolsDevice Query

Advanced Vishing KQL Detection

Query

// Advanced Vishing KQL Detection

// https://www.linkedin.com/posts/0x534c_cybersecurity-teams-vishing-activity-7275032953850597377-bCT1?utm_source=share&utm_medium=member_desktop
// https://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html

// This post follows up on my previous discussion, "Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion." In just two clicks, you can download the PSTN usage log from the Teams admin portal and upload it to Azure Data Explorer (ADX). By running the KQL query below, you can identify potential indicators of a Vishing attack.🎯

TeamsCallLog
| where ['Call Direction'] == "Inbound"

// Corporate users with high inbound calls and low call duration - Vishing Attacks Indicator (1)
// Identify receiver UPN and check against inbound email flow for the UPN
| summarize Callers=dcount(['Caller ID']), CallDuration=dcount(['Duration Seconds']) by UPN

// External Caller IDs with high inbound calls and low call duration - Vishing Attacks Indicator (2)
| summarize Receivers=dcount(UPN), CallDuration=dcount(['Duration Seconds']) by ['Caller ID']

//

Explanation

This KQL query is designed to detect potential vishing (voice phishing) attacks using Microsoft Teams call logs. Here's a simple breakdown of what the query does:

  1. Data Source: It starts by examining the Teams call logs, specifically looking at inbound calls.

  2. Vishing Indicator 1: The query identifies corporate users (by their User Principal Name, UPN) who receive a high number of inbound calls but have a low total call duration. This pattern can indicate a potential vishing attack, as attackers may call frequently but keep the calls short.

  3. Vishing Indicator 2: It also looks at external caller IDs that make a high number of inbound calls with low call duration. This can help identify external sources that might be attempting vishing attacks.

  4. Summarization: The query summarizes the data by counting distinct callers and call durations for each UPN (for internal users) and each caller ID (for external sources).

Overall, the query helps in identifying suspicious calling patterns that could indicate vishing attempts, allowing organizations to take preventive measures.

Details

Steven Lim profile picture

Steven Lim

Released: December 19, 2024

Tables

TeamsCallLog

Keywords

TeamsCallLogCallerIDDurationSecondsUPN

Operators

|where==summarizedcountby

Actions