Detect Threat Actor Abuse Cloud Flare Tunnels To Deliver RATS
Query
// Detect threat actor abuse CloudFlare tunnels to deliver RATS
// https://www.linkedin.com/posts/activity-7225744862875152384-whO8/
UrlClickEvents
| where Timestamp > ago(30d)
| extend domain = tostring(parse_url(Url).Host)
| where domain endswith ".trycloudflare.com"
| join EmailEvents on NetworkMessageId
| project Timestamp, Url, RecipientEmailAddress, SenderMailFromAddress, SenderFromAddress, Subject, AttachmentCount, UrlCount
// MITRE ATT&CK Mapping
// Based on the KQL code, the following MITRE ATT&CK techniques are relevant:
// T1071.001 - Application Layer Protocol: Web Protocols:
// The query is analyzing URL click events, which involves web protocols.
// T1566.002 - Phishing: Spearphishing Link:
// The query filters for specific domains and joins with email events, indicating an investigation into potential phishing attempts via malicious links.
// T1071.003 - Application Layer Protocol: Email Protocols:
// The join with EmailEvents suggests the use of email protocols to identify malicious activities.
// T1204.001 - User Execution: Malicious Link:
// The focus on URL clicks and specific domains indicates detection of user execution of potentially malicious links.Explanation
This query is designed to detect potential malicious activities involving the use of CloudFlare tunnels to deliver Remote Access Trojans (RATs). Here's a simple breakdown of what the query does:
-
Data Source: It starts by looking at URL click events from the past 30 days.
-
Domain Filtering: It extracts the domain from each URL and filters for those ending with ".trycloudflare.com", which could indicate the use of CloudFlare tunnels.
-
Email Correlation: It joins these filtered URL events with email events using a common identifier (NetworkMessageId). This helps in correlating the URLs with specific email activities.
-
Data Projection: The query then selects specific fields to display, such as the timestamp of the event, the URL clicked, email addresses involved, the subject of the email, and counts of attachments and URLs.
-
Security Context: The query is mapped to several MITRE ATT&CK techniques, indicating that it is part of a security investigation:
- T1071.001: It involves analyzing web protocols.
- T1566.002: It looks for phishing attempts through spearphishing links.
- T1071.003: It involves email protocols to identify malicious activities.
- T1204.001: It focuses on detecting user execution of potentially malicious links.
In summary, this query is used to identify and investigate potential phishing attacks that use CloudFlare tunnels to deliver malicious content via email.
Details

Steven Lim
Released: August 25, 2024
Tables
Keywords
Operators