KQL Search

Query Details

HomeAI ToolsDevice Query

Email Typosquatted Email Recieved

Query

# Typosquatted Email Received

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1566 | Phishing | https://attack.mitre.org/techniques/T1566/ |

#### Description
Adversaries may create typosquatted domains to mimic your domains. This detection can be used to detect typosquatted domains and alert on entries. You can configure the threshold yourself based on the *TypoSquatMin* and *TypoSquatMax*, these values represent the percentage of how many unicode characters match.

#### Risk
An actor typosquats your domain to phish employees.

## Defender XDR
```KQL
let TypoSquatMin = 0.75;
let TypoSquatMax = 0.99; // If set to 1.0 it equals the domain.
EmailEvents
| where EmailDirection == "Inbound"
| extend SenderDomainUnicode = unicode_codepoints_from_string(tolower(SenderFromDomain))
| extend TypoSquadPercentage = jaccard_index(UnicodeDomain, SenderDomainUnicode)
| where TypoSquadPercentage between (TypoSquatMin .. TypoSquatMax)
| project-reorder TimeGenerated, SenderFromDomain, TypoSquadPercentage, RecipientEmailAddress, Subject
```

## Sentinel
```KQL
let TypoSquatMin = 0.75;
let TypoSquatMax = 0.99; // If set to 1.0 it equals the domain.
EmailEvents
| where EmailDirection == "Inbound"
| extend SenderDomainUnicode = unicode_codepoints_from_string(tolower(SenderFromDomain))
| extend TypoSquadPercentage = jaccard_index(UnicodeDomain, SenderDomainUnicode)
| where TypoSquadPercentage between (TypoSquatMin .. TypoSquatMax)
| project-reorder TimeGenerated, SenderFromDomain, TypoSquadPercentage, RecipientEmailAddress, Subject
```

#### Versions
| Version | Comment |
| ---  | --- |
| 1.0 | Initial commit |

Explanation

Summary of the Query

Purpose

The query is designed to detect and alert on emails received from typosquatted domains, which are domains that closely mimic legitimate domains by having slight variations, often used in phishing attacks.

Key Details

  • MITRE ATT&CK Technique: Phishing (T1566)
  • Risk: Attackers may use typosquatted domains to deceive employees into thinking the email is from a legitimate source.

How It Works

  1. Thresholds:

    • TypoSquatMin is set to 0.75. - TypoSquatMax is set to 0.99 (1.0 would mean an exact match to the domain).

  2. Process:

    • The query looks at inbound emails.
    • It converts the sender's domain to a list of Unicode code points.
    • It calculates the similarity (Jaccard index) between the sender's domain and a reference domain.
    • It filters emails where the similarity percentage falls between the defined thresholds (TypoSquatMin and TypoSquatMax).

  3. Output:

    • The query projects and reorders the results to show the time the email was generated, the sender's domain, the similarity percentage, the recipient's email address, and the email subject.

Implementation

The query is implemented in both Defender XDR and Sentinel using KQL (Kusto Query Language).

Versions

  • Version 1.0: Initial commit of the query.

Simplified Explanation

This query helps identify emails from domains that look very similar to your legitimate domains, which could be used in phishing attacks. It checks how closely the sender's domain matches your domain and flags those that are close but not exact matches, helping to catch potential typosquatted phishing attempts.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: September 24, 2024

Tables

EmailEvents

Keywords

EmailSecurityPhishingDetection

Operators

letbetweenproject-reordertolowerunicode_codepoints_from_stringjaccard_indexextendwhere

Actions