Detect Inbound Phish With Base64 Encoded Receipient
Query
EmailEvents
| where EmailDirection == "Inbound"
and not(DeliveryLocation == "Quarantine")
| where AuthenticationDetails has_any("temperror","none","fail","softfail")
and UrlCount > 0
| extend B64 = base64_encode_tostring(RecipientEmailAddress)
| join kind=inner EmailUrlInfo on NetworkMessageId
| where Url contains B64
| project-away *1
| join kind=leftouter UrlClickEvents on NetworkMessageIdAbout this query
Detect Inbound Phish With Base64 Encoded Receipient
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1566.002 | Spearphishing Link | https://attack.mitre.org/techniques/T1566/002/ |
Description
This hunting query detects inbound E-mails which have not deliverd to quarantine, which contain URL's with base 64 encoded receipients E-mail address.
References
Microsoft 365 Defender
Explanation
This query is used to detect inbound emails that have not been delivered to quarantine and contain URLs with base64 encoded recipient email addresses. It looks for emails with certain authentication details and a non-zero number of URLs. It then encodes the recipient email address in base64 and joins it with the email URL information. Finally, it checks if the URL contains the base64 encoded recipient email address and joins it with URL click events.
