Query Details
Defending Against Dot Zip Domain Phishing Attack
Query
// Defending against dot zip domain phishing attack with Microsoft 365 Defender Advanced Hunting // https://www.linkedin.com/pulse/defending-against-zip-domain-phishing-attack-microsoft-steven-lim/ EmailUrlInfo | where Timestamp > ago(1h) | where UrlDomain endswith ".zip" | where Url contains "@" | join EmailEvents on $left.NetworkMessageId == $right.NetworkMessageId | project Timestamp, NetworkMessageId, SenderFromAddress, RecipientEmailAddress, Subject, Url, UrlDomain, ThreatTypes, EmailAction, ReportId
Explanation
This KQL (Kusto Query Language) query is designed to help defend against phishing attacks that use ".zip" domains in email URLs. Here's a simplified summary of what the query does:
- Data Source: It starts by looking at the
EmailUrlInfotable, which contains information about URLs found in emails. - Time Filter: It filters the data to include only the records from the last hour (
Timestamp > ago(1h)). - Domain Filter: It further filters the data to include only URLs that end with ".zip" (
UrlDomain endswith ".zip"). - Content Filter: It checks if the URL contains an "@" symbol (
Url contains "@"), which is often used in phishing attempts. - Join Operation: It joins this filtered data with the
EmailEventstable based on a common field calledNetworkMessageId. - Select Columns: Finally, it selects and displays specific columns:
Timestamp,NetworkMessageId,SenderFromAddress,RecipientEmailAddress,Subject,Url,UrlDomain,ThreatTypes,EmailAction, andReportId.
In essence, this query identifies potentially malicious emails containing ".zip" URLs with "@" symbols, which are common indicators of phishing attacks, and provides detailed information about these emails.
Details
Steven Lim
Released: August 2, 2024
Tables
EmailUrlInfoEmailEvents
Keywords
EmailUrlInfoEmailEventsTimestampNetworkMessageIdSenderFromAddressRecipientEmailAddressSubjectUrlUrlDomainThreatTypesEmailActionReportId
Operators
|>agoendswithcontainsjoin==project