KQL Search

Query Details

HomeAI ToolsDevice Query

Direct Send Abuse Detection

Query

// https://www.bleepingcomputer.com/news/security/microsoft-365-direct-send-abused-to-send-phishing-as-internal-users/

DeviceEvents
| where Timestamp > ago(1h)
| where ActionType == "DnsQueryResponse"
| extend QueryName = tolower(tostring(parse_json(AdditionalFields)["DnsQueryString"]))
| where QueryName endswith "-com.mail.protection.outlook.com"

Explanation

This query is designed to analyze device events in order to identify potential phishing activities involving Microsoft 365. Here's a simple breakdown of what it does:

  1. Data Source: It looks at DeviceEvents, which are records of various actions and events that occur on devices.

  2. Time Filter: It only considers events that happened within the last hour (Timestamp > ago(1h)).

  3. Action Type: It specifically focuses on events where the action type is DnsQueryResponse. This means it is interested in responses to DNS queries, which are requests made to translate domain names into IP addresses.

  4. Extracting DNS Query: It extracts the DNS query string from additional fields in the event data, converts it to lowercase, and assigns it to a new field called QueryName.

  5. Domain Filter: Finally, it filters these DNS queries to find those that end with -com.mail.protection.outlook.com. This pattern is associated with Microsoft's email protection service, which could be used in phishing attempts.

In summary, this query is looking for DNS query responses related to Microsoft's email protection service within the last hour, which could indicate potential phishing activities using Microsoft 365.

Details

Steven Lim profile picture

Steven Lim

Released: June 26, 2025

Tables

DeviceEvents

Keywords

DeviceEventsTimestampActionTypeAdditionalFieldsQueryName

Operators

DeviceEventswhereTimestampagoActionType==extendQueryNametolowertostringparse_jsonAdditionalFieldsendswith

Actions