Query Details
Detect Malicious Impersonation Of Deepseek Domains In Email UR Ls
Query
// Detect Malicious Impersonation of Deepseek Domains in Email URLs // Utilize this straightforward KQL tool for inbound email URL analysis to identify domains potentially impersonating Deepseek for malicious purposes. This empowers SecOps to verify domain authenticity and block threats at the tenant level. EmailUrlInfo | where UrlDomain has "deepseek" and UrlDomain !endswith "deepseek.com" | join EmailEvents on NetworkMessageId | where EmailDirection == "Inbound" and LatestDeliveryAction != "Blocked" | summarize Count=count() by UrlDomain | where Count >= 3
Explanation
This KQL query is designed to help security operations teams identify potentially malicious domains that are impersonating "Deepseek" in email URLs. Here's a simple breakdown of what the query does:
-
Filter for Deepseek-like Domains: It looks at email URLs to find domains that contain the word "deepseek" but do not end with "deepseek.com". This helps in identifying domains that might be trying to impersonate the legitimate Deepseek domain.
-
Join with Email Events: It combines this information with email event data based on a common identifier (NetworkMessageId) to get more context about the emails.
-
Focus on Inbound Emails: It specifically examines inbound emails that have not been blocked, indicating they were delivered to the recipient.
-
Count Occurrences: It counts how many times each suspicious domain appears in the email data.
-
Highlight Frequent Offenders: It only shows domains that appear at least three times, which might indicate a pattern of malicious activity.
Overall, this query helps in identifying and verifying suspicious domains that could pose a threat, allowing security teams to take action to block these threats at the organizational level.
Details
Steven Lim
Released: January 29, 2025
Tables
Keywords
Operators