KQL Search

Query Details

HomeAI ToolsDevice Query

Brands Impersonation Phishing Trend

Query

// Brands Impersonation Phishing Trend

// Are you aware of the types of brand impersonation targeting your Entra users? Threat actors are exploiting SaaS platforms to evade detection and phish your users. I’ve developed a KQL to analyze MDO email threats and summarized the impersonation threats facing your Entra tenant. Educating your users about these threats is crucial for cyber defense. Keeping them informed about the specific threats your organization faces is vital.

let BrandAbuse = dynamic(["Docusign", "Sharepoint", "Norton", "Microsoft", "OneDrive", "CloudFlare", "Adobe"]);
EmailEvents
| where TimeGenerated > ago(90d)
| where EmailDirection == "Inbound" and ThreatNames != ""
| where ThreatNames has_any(BrandAbuse)
| extend IPLocation = tostring(geo_info_from_ip_address(SenderIPv4).country)
| summarize Count=count() by SenderIPv4, IPLocation, ThreatNames
| sort by Count desc

Explanation

This KQL (Kusto Query Language) query is designed to analyze email threats related to brand impersonation targeting users in your organization. Here's a simple breakdown of what the query does:

  1. Define Target Brands: It starts by listing a set of well-known brands (like Docusign, Sharepoint, Norton, etc.) that are commonly impersonated in phishing attacks.

  2. Filter Email Events: The query looks at email events from the past 90 days, focusing on inbound emails that have been flagged with any threat names.

  3. Identify Impersonation Threats: It specifically filters for threats that involve impersonation of the listed brands.

  4. Geolocate Senders: For each suspicious email, it determines the country of origin based on the sender's IP address.

  5. Summarize and Sort: The query then summarizes the data by counting how many times each IP address and country combination appears in the list of threats, along with the associated threat names. It sorts the results to show the most frequent threats first.

In summary, this query helps identify and understand the trend of brand impersonation phishing attacks targeting your organization, highlighting the most common sources and types of threats. This information can be used to educate users and strengthen cyber defenses.

Details

Steven Lim profile picture

Steven Lim

Released: November 18, 2024

Tables

EmailEvents

Keywords

EmailEventsThreatNamesSenderIPv4IPLocation

Operators

letdynamic|where>ago==!=has_anyextendtostringgeo_info_from_ip_addresssummarizecountbysortdesc

Actions