Custom Defender XDR KQL Detection For Fake Crowd Strike Email Domain Using Regex
Query
// Custom DefenderXDR KQL detection for fake CrowdStrike email domain using Regex
// https://www.linkedin.com/posts/activity-7222081026011885568-giCs/
// Configure as Detect & Purge:
EmailEvents
| where Timestamp > ago(1h)
| where EmailDirection == "Inbound"
| where LatestDeliveryAction == "Delivered"
| where SenderFromDomain matches regex "^{a-z0-9\\-]{0,}cr[0oO]wdstr[i1l]ke[a-z0-9\\-]{0,}\\.[a-z]{1,}$"
| where SenderFromDomain !endswith "crowdstrike.com" and
SenderFromDomain !endswith "litmos.com" and
SenderFromDomain !endswith "zoom.us"
// MITRE ATT&CK Mapping
// The query primarily focuses on detecting phishing attempts, which can be mapped to the following MITRE ATT&CK techniques:
// Phishing (T1566):
// The query aims to identify phishing emails by detecting domains that mimic legitimate ones1.
// Spearphishing Link (T1566.002):
// By focusing on inbound emails with specific domain patterns, the query helps detect spearphishing attempts where attackers use lookalike domains1.
// Spearphishing Attachment (T1566.001):
// Although the query doesn’t explicitly check for attachments, it can be extended to do so, thereby detecting spearphishing emails with malicious attachments1.Explanation
This KQL query is designed to detect phishing emails that pretend to be from CrowdStrike by using fake domains. Here's a simple breakdown of what the query does:
- Data Source: It looks at email events from the last hour.
- Email Direction: It focuses on inbound emails, meaning emails coming into the organization.
- Delivery Status: It only considers emails that were successfully delivered.
- Domain Check: It uses a regular expression to find sender domains that try to imitate "crowdstrike.com" by using similar-looking characters (like replacing 'o' with '0' or 'i' with '1').
- Exclusions: It excludes emails from legitimate domains like "crowdstrike.com", "litmos.com", and "zoom.us" to avoid false positives.
The query is part of a security measure to detect phishing attempts, specifically those that use lookalike domains to trick recipients. It aligns with MITRE ATT&CK techniques for identifying phishing and spearphishing threats.
