KQL Search

Query Details

HomeAI ToolsDevice Query

Echo Spoofing

Query

//By leveraging Defender threat intelligence data to first identify abused Proofpoint email gateways and correlating this with emails that have passed authentication checks (SPF/DKIM/DMARC) from these gateways, you can quickly spot abnormal inbound email counts from legitimate non-business partner domains by reviewing the email statistics. (E.g Disney.com)

let HighRiskProofpointEmailGateways =
CloudAppEvents 
| where ActionType == @"TIMailData-Inline"
| where RawEventData has "pphosted.com" or ISP == @"proofpoint inc."
| extend SenderIP = tostring(RawEventData.SenderIp)
| distinct SenderIP;
EmailEvents
| where SenderIPv4 has_any(HighRiskProofpointEmailGateways)
| extend SenderInfo = geo_info_from_ip_address(SenderIPv4)
| extend AuthDetail = parse_json(AuthenticationDetails)
| where AuthDetail.SPF=="pass" and AuthDetail.DKIM=="pass" and AuthDetail.DMARC=="pass"
| summarize Count=count() by SenderFromDomain
| sort by Count desc

// https://labs.guard.io/echospoofing-a-massive-phishing-campaign-exploiting-proofpoints-email-protection-to-dispatch-3dd6b5417db6

Explanation

This query is designed to identify and analyze potentially suspicious email activity involving Proofpoint email gateways. Here's a simplified breakdown:

  1. Identify High-Risk Proofpoint Gateways:

    • The first part of the query looks at cloud application events to find email gateways associated with Proofpoint (identified by "pphosted.com" or "proofpoint inc.").
    • It extracts and lists unique sender IP addresses from these events.

  2. Analyze Emails from Identified Gateways:

    • The second part of the query examines email events where the sender's IP address matches any of the high-risk Proofpoint gateways identified earlier.
    • It checks that these emails have passed authentication checks (SPF, DKIM, and DMARC).
    • It then counts the number of emails from each sender domain and sorts these counts in descending order.

Purpose: By doing this, you can quickly spot unusual volumes of inbound emails from domains that are not recognized as business partners, helping to identify potential phishing or other malicious activities.

Example: If a domain like "Disney.com" shows an abnormal number of emails passing through these gateways, it could be flagged for further investigation.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

CloudAppEventsEmailEvents

Keywords

CloudAppEventsEmailEvents

Operators

let|where==hasorextendtostringdistincthas_anyparse_jsonsummarizebysortdesc

Actions