Query Details
Detect Inbound Phish With Base64 Encoded Receipient
Query
# Detect Inbound Phish With Base64 Encoded Receipient
## Query Information
### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| T1566.002 | Spearphishing Link | https://attack.mitre.org/techniques/T1566/002/ |
### Description
This hunting query detects inbound E-mails which have not deliverd to quarantine, which contain URL's with base 64 encoded receipients E-mail address.
#### References
### Microsoft 365 Defender
```
EmailEvents
| where EmailDirection == "Inbound"
and not(DeliveryLocation == "Quarantine")
| where AuthenticationDetails has_any("temperror","none","fail","softfail")
and UrlCount > 0
| extend B64 = base64_encode_tostring(RecipientEmailAddress)
| join kind=inner EmailUrlInfo on NetworkMessageId
| where Url contains B64
| project-away *1
| join kind=leftouter UrlClickEvents on NetworkMessageId
```
Explanation
This query is used to detect inbound emails that have not been delivered to quarantine and contain URLs with base64 encoded recipient email addresses. It looks for emails with certain authentication details and a non-zero number of URLs. It then encodes the recipient email address in base64 and joins it with the email URL information. Finally, it checks if the URL contains the base64 encoded recipient email address and joins it with URL click events.
Details
Gianni Castaldi
Released: September 1, 2023
Tables
EmailEventsEmailUrlInfoUrlClickEvents
Keywords
Devices,Intune,User
Operators
wherenothas_anyand>extendjoincontainsproject-awayleftouter