KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Spear Phishing Using Copilot For Microsoft 365

Query

// Detect Spear Phishing using Copilot for Microsoft 365
// Linkedin Post: https://www.linkedin.com/posts/0x534c_phishing-is-dead-long-live-spear-phishing-activity-7228358230286950400-j0C_/

//At #BHUSA, Zenity Labs CTO Michael Bargury showcased how a compromised Copilot user account can be leveraged for spear phishing attacks using the user’s profiling data. For detailed steps on conducting these attacks, refer to the article “Phishing is Dead, Long Live Spear Phishing.”

//The following DefenderXDR custom detection KQL utilizes Microsoft Defender Cloud Apps (MDCA) User Entity and Behavior Analytics (UEBA) capabilities to detect unusual Copilot bizchat (user prompting) sessions and correlate them with Microsoft Defender for Office 365 (MDO) email sending activities. This approach aims to identify the abused Copilot spear phishing scenario mentioned in the article and immediately quarantine the email messages. After validation by SecOps, if deemed safe, SecOps can release the emails from quarantine.

let UncommonCopilotPromptUpn =
CloudAppEvents
| where Timestamp > ago(1h)
| where Application == @"Microsoft Copilot for Microsoft 365"
| where ActionType == @"CopilotInteraction"
| extend UserID = tostring(RawEventData.UserId)
| extend CopilotData = todynamic(RawEventData.CopilotEventData)
| extend CopilotAppHost = tostring(CopilotData.AppHost)
| where CopilotAppHost == "bizchat"
| where UncommonForUser has "ISP" or UncommonForUser has "CountryCode"
| distinct UserID;
EmailEvents
| where SenderFromAddress has_any (UncommonCopilotPromptUpn)
| where EmailDirection == "Outbound"
| where AttachmentCount > 0 or UrlCount > 0

// Reference Link:
// https://labs.zenity.io/p/phishing-dead-long-live-spear-phishing

Explanation

This query is designed to detect potential spear phishing attacks that exploit Microsoft Copilot for Microsoft 365. Here's a simplified summary:

  1. Objective: Identify unusual user interactions with Microsoft Copilot and correlate them with suspicious email activities to detect and quarantine potential spear phishing emails.

  2. Steps:

    • Identify Unusual Copilot Interactions:
      • Look at events from the last hour involving Microsoft Copilot.
      • Focus on interactions specifically within the "bizchat" application.
      • Filter for users whose interactions are uncommon based on their Internet Service Provider (ISP) or country code.
      • Collect distinct user IDs from these interactions.
    • Correlate with Email Activities:
      • Check email events where the sender's address matches any of the identified unusual Copilot users.
      • Focus on outbound emails that contain attachments or URLs.

  3. Outcome: If such emails are detected, they are immediately quarantined. Security Operations (SecOps) can then review and, if deemed safe, release the emails from quarantine.

This approach leverages Microsoft Defender Cloud Apps and Microsoft Defender for Office 365 to enhance security by detecting and mitigating spear phishing attempts.

Details

Steven Lim profile picture

Steven Lim

Released: August 11, 2024

Tables

CloudAppEventsEmailEvents

Keywords

DevicesIntuneUser

Operators

let|where>==extendtostringtodynamichasordistincthas_any

Actions