Detect Spear Phishing Using Copilot For Microsoft 365
Query
// Detect Spear Phishing using Copilot for Microsoft 365
// Linkedin Post: https://www.linkedin.com/posts/0x534c_phishing-is-dead-long-live-spear-phishing-activity-7228358230286950400-j0C_/
//At #BHUSA, Zenity Labs CTO Michael Bargury showcased how a compromised Copilot user account can be leveraged for spear phishing attacks using the user’s profiling data. For detailed steps on conducting these attacks, refer to the article “Phishing is Dead, Long Live Spear Phishing.”
//The following DefenderXDR custom detection KQL utilizes Microsoft Defender Cloud Apps (MDCA) User Entity and Behavior Analytics (UEBA) capabilities to detect unusual Copilot bizchat (user prompting) sessions and correlate them with Microsoft Defender for Office 365 (MDO) email sending activities. This approach aims to identify the abused Copilot spear phishing scenario mentioned in the article and immediately quarantine the email messages. After validation by SecOps, if deemed safe, SecOps can release the emails from quarantine.
// ** VERSION 1 **
let UncommonCopilotPromptUpn =
CloudAppEvents
| where Timestamp > ago(1h)
| where Application == @"Microsoft Copilot for Microsoft 365"
| where ActionType == @"CopilotInteraction"
| extend UserID = tostring(RawEventData.UserId)
| extend CopilotData = todynamic(RawEventData.CopilotEventData)
| extend CopilotAppHost = tostring(CopilotData.AppHost)
| where CopilotAppHost == "bizchat"
| where UncommonForUser has "ISP" or UncommonForUser has "CountryCode"
| distinct UserID;
EmailEvents
| where SenderFromAddress has_any (UncommonCopilotPromptUpn)
| where EmailDirection == "Outbound"
| where AttachmentCount > 0 or UrlCount > 0
// ** Version 2 - Improve detection on PowerPwn **
let UncommonCopilotPromptUpn =
CloudAppEvents
| where Application == @"Microsoft Copilot for Microsoft 365"
| where ActionType == @"CopilotInteraction"
| extend UserID = tostring(RawEventData.UserId)
| extend CopilotData = todynamic(RawEventData.CopilotEventData)
| extend CopilotAppHost = tostring(CopilotData.AppHost)
| where CopilotAppHost == "bizchat"
| where UncommonForUser has "ISP" or UncommonForUser has "CountryCode"
| distinct UserID;
let PowerPwnUpn =
AADSignInEventsBeta
| where AccountUpn has_any (UncommonCopilotPromptUpn)
| where ResourceDisplayName == "Office 365 Exchange Online"
| where UserAgent contains "python"
| distinct AccountUpn;
EmailEvents
| where SenderFromAddress has_any (PowerPwnUpn)
| where EmailDirection == "Outbound"
| where AttachmentCount > 0 or UrlCount > 0
// Reference Link:
// https://labs.zenity.io/p/phishing-dead-long-live-spear-phishing
// MITRE ATT&CK Mapping
// Initial Access:
// Technique T1078: Valid Accounts: The query looks for unusual user accounts interacting with Microsoft Copilot, which could indicate compromised accounts being used for initial access1.
// Execution:
// Technique T1059: Command and Scripting Interpreter: The use of python in the UserAgent field suggests script-based execution2.
// Persistence:
// Technique T1078: Valid Accounts: Continued use of valid accounts for maintaining access1.
// Defense Evasion:
// Technique T1078: Valid Accounts: Using legitimate credentials to avoid detection1.
// Credential Access:
// Technique T1078: Valid Accounts: Accessing accounts to gather credentials1.
// Discovery:
// Technique T1083: File and Directory Discovery: The query checks for outbound emails with attachments or URLs, which could be part of data discovery and exfiltration3.
// Exfiltration:
// Technique T1041: Exfiltration Over C2 Channel: Outbound emails with attachments or URLs could indicate data exfiltration3.Explanation
This query is designed to detect potential spear phishing attacks that exploit Microsoft Copilot for Microsoft 365. It uses Microsoft Defender Cloud Apps (MDCA) and Microsoft Defender for Office 365 (MDO) to identify unusual user interactions with Copilot and correlate them with suspicious email activities. Here's a simplified breakdown:
-
Detection of Unusual Copilot Activity:
- The query looks for users interacting with Microsoft Copilot's "bizchat" feature in an unusual way, such as accessing from uncommon internet service providers (ISPs) or countries.
-
Email Correlation:
- It checks if these users are sending outbound emails with attachments or URLs, which could be indicative of spear phishing attempts.
-
Enhanced Detection with PowerPwn:
- The second version of the query improves detection by also looking for signs of automated script usage (e.g., Python) in Office 365 Exchange Online, which could suggest a more sophisticated attack.
-
Immediate Action:
- If such suspicious activities are detected, the emails are quarantined for further investigation by security operations (SecOps) teams.
-
Security Framework Mapping:
- The query aligns with several MITRE ATT&CK techniques, indicating it looks for signs of compromised accounts, script-based execution, data discovery, and potential data exfiltration.
Overall, this query helps in identifying and mitigating spear phishing attacks by monitoring unusual user behavior and email activities associated with Microsoft Copilot.
Details

Steven Lim
Released: August 25, 2024
Tables
CloudAppEventsEmailEventsAADSignInEventsBeta
Keywords
CloudAppEventsMicrosoftCopilotUserIDCopilotDataCopilotAppHostUncommonForUserEmailEventsSenderFromAddressEmailDirectionAttachmentCountUrlCountAADSignInEventsBetaAccountUpnResourceDisplayNameUserAgent
Operators
letCloudAppEventswhereTimestampagoApplicationActionTypeextendtostringRawEventDatatodynamicCopilotEventDataCopilotAppHostUncommonForUserhasordistinctEmailEventsSenderFromAddresshas_anyEmailDirectionAttachmentCountUrlCountAADSignInEventsBetaAccountUpnResourceDisplayNamecontains