Query Details
Detecting Phishing Emails With Cloudflare R2 UR Ls
Query
// Detecting Phishing Emails with Cloudflare R2 URLs ☁️🧨
// https://medium.com/trac-labs/aitm-phishing-hold-the-gabagool-analyzing-the-gabagool-phishing-kit-531f5bbaf0e4
// The TRAC Labs team has uncovered a phishing campaign called "Gabagool" that targets corporate and government employees. This campaign leverages Cloudflare R2 buckets to host malicious content and uses compromised email accounts to distribute phishing emails. These emails contain links that lead to credential harvesting pages. The phishing kit employs various evasion techniques, including bot detection and obfuscated JavaScript. (TRAC Labs Case Study link can be found at the comment section)
//I have created two threat hunting KQLs to identify the following:
// Micrososft Defender for Office KQL - Malicious Cloudflare R2 URLs not blocked
let MaliciousDomainTable=externaldata(RawData:string)
[h'https://raw.githubusercontent.com/romainmarcoux/malicious-domains/main/full-domains-aa.txt']
| parse RawData with MaliciousDomain:string;
EmailUrlInfo
| where TimeGenerated > ago(90d)
| where Url matches regex "pub-[0-9a-fA-F]{32}\\.r2\\.dev\\/[a-zA-Z0-9_-]+\\.html"
| join MaliciousDomainTable on $left.UrlDomain == $right.MaliciousDomain
| join EmailEvents on NetworkMessageId
| where DeliveryAction != "Blocked"
// Microsoft Defender for Endpoint KQL - Malicious Cloudflare R2 Outbound Connection
let MaliciousDomainTable=externaldata(RawData:string)
[h'https://raw.githubusercontent.com/romainmarcoux/malicious-domains/main/full-domains-aa.txt']
| parse RawData with MaliciousDomain:string;
DeviceNetworkEvents
| where TimeGenerated > ago(90d)
| where ActionType == @"HttpConnectionInspected"
| extend Host = parse_json(AdditionalFields)["host"]
| parse Host with R2Host ":" Port
| extend Direction = parse_json(AdditionalFields)["direction"]
| where Direction == "Out" and Host has ".r2.dev"
| join MaliciousDomainTable on $left.R2Host == $right.MaliciousDomain
Explanation
This query is designed to detect phishing activities involving Cloudflare R2 URLs. It consists of two parts, each using KQL (Kusto Query Language) to identify potential threats in different Microsoft security products.
-
Microsoft Defender for Office KQL - Malicious Cloudflare R2 URLs not blocked:
- This part of the query looks for phishing emails that have been delivered to users without being blocked.
- It checks emails from the last 90 days that contain URLs matching a specific pattern associated with Cloudflare R2. - It cross-references these URLs with a list of known malicious domains.
- If a match is found and the email was not blocked, it flags it as a potential threat.
-
Microsoft Defender for Endpoint KQL - Malicious Cloudflare R2 Outbound Connection:
- This part focuses on detecting outbound network connections to malicious Cloudflare R2 domains.
- It examines network events from the last 90 days where HTTP connections were inspected.
- It identifies connections directed outward to hosts with ".r2.dev" in their domain.
- It then checks these hosts against the same list of known malicious domains.
- If a match is found, it indicates a possible malicious outbound connection.
Overall, these queries help identify phishing campaigns that use Cloudflare R2 to host malicious content and distribute phishing emails, allowing organizations to take action against these threats.
Details
Steven Lim
Released: November 22, 2024
Tables
EmailUrlInfoEmailEventsDeviceNetworkEvents
Keywords
EmailUrlInfoEmailEventsDeviceNetworkEventsMaliciousDomain
Operators
letexternaldataparsewherematches regexjoinonextendparse_jsonhas