Defending Against Dot Zip Domain Phishing Attack
Query
// Defending against dot zip domain phishing attack with Microsoft 365 Defender Advanced Hunting
// https://www.linkedin.com/pulse/defending-against-zip-domain-phishing-attack-microsoft-steven-lim/
EmailUrlInfo
| where Timestamp > ago(1h)
| where UrlDomain endswith ".zip"
| where Url contains "@"
| join EmailEvents on $left.NetworkMessageId == $right.NetworkMessageId
| project Timestamp, NetworkMessageId, SenderFromAddress, RecipientEmailAddress, Subject, Url, UrlDomain, ThreatTypes, EmailAction, ReportId
// MITRE ATT&CK Mapping
// Based on the query, the following MITRE ATT&CK techniques are relevant:
// Phishing (T1566):
// The query is designed to detect phishing attempts by identifying suspicious URLs in emails.
// Sub-technique: Spearphishing Link (T1566.002).
// Command and Control (T1071):
// The use of URLs that end with “.zip” and contain “@” could be indicative of command and control communication attempts.
// Sub-technique: Application Layer Protocol (T1071.001).
// Exfiltration Over Web Service (T1567):
// The presence of URLs in emails might indicate attempts to exfiltrate data via web services.
// Sub-technique: Exfiltration Over Web Service (T1567.002).Explanation
This query is designed to help identify potential phishing attacks using Microsoft 365 Defender's Advanced Hunting capabilities. It specifically looks for suspicious URLs in emails that could be part of a phishing attempt. Here's a simple breakdown of what the query does:
- Time Filter: It examines email data from the past hour.
- Domain Check: It focuses on URLs that end with ".zip", which is unusual for legitimate domains and could indicate a phishing attempt.
- Suspicious Character: It checks if the URL contains an "@" symbol, which is often used in phishing URLs to mislead users.
- Data Joining: It combines this URL information with email event data to get a fuller picture of the email context.
- Data Projection: It extracts and displays key information such as the timestamp, sender, recipient, email subject, the suspicious URL, and any detected threat types or actions taken on the email.
The query is mapped to specific MITRE ATT&CK techniques, which are frameworks used to understand and categorize cyber threats:
- Phishing (T1566): The query helps detect phishing attempts by identifying suspicious URLs.
- Command and Control (T1071): The suspicious URLs might indicate attempts to establish unauthorized communication channels.
- Exfiltration Over Web Service (T1567): The presence of these URLs could also suggest attempts to send data out of the network using web services.
Overall, the query is a tool for detecting and analyzing potential phishing attacks that use ".zip" domains, helping security teams respond to threats more effectively.
Details

Steven Lim
Released: August 25, 2024
Tables
EmailUrlInfoEmailEvents
Keywords
EmailUrlNetworkMessageSenderRecipientSubjectThreatTypesReport
Operators
EmailUrlInfo|whereTimestamp>ago()UrlDomainendswith".zip"Urlcontains"@"joinEmailEventson$left.NetworkMessageId==$right.NetworkMessageIdprojectNetworkMessageIdSenderFromAddressRecipientEmailAddressSubjectThreatTypesEmailActionReportId