Query Details
Email Campaign Exploiting SVG Files And Trycloudflarecom To Spread Malware
Query
// Email Campaign: Exploiting SVG Files and trycloudflare.com to Spread Malware // According to a Deutsche Telekom CERT advisory (link in the comments), an email campaign has been detected that delivers malware by exploiting SVG files and trycloudflare.com. // 1. The attack begins with an email 📧 containing an SVG file. When opened, this file drops an HTML file that displays a spoofed PDF, tricking the victim into clicking an "Open" button. // 2. Clicking this button triggers JavaScript code that attempts to connect to the TryCloudflare domain via WebDAV and create a network share. Opening this share executes a VBS file, continuing the infection chain. // I have developed a DefenderXDR MDO + MDE + ExposureManagement KQL detection to hunt for potential abuse involving SVG files and trycloudflare.com. // Deutsche Telekom CERT // https://x.com/DTCERT/status/1858890116137099581 let TargetSVGRecipients = EmailAttachmentInfo | where FileName endswith ".pdf.svg" | join EmailEvents on NetworkMessageId | where EmailDirection == "Inbound" | join IdentityInfo on $left.RecipientEmailAddress == $right.AccountUpn | summarize arg_max(Timestamp, *) by AccountUpn | distinct AccountDisplayName; let TargetSVGdevices = ExposureGraphEdges | where EdgeLabel == @"can authenticate to" | join ExposureGraphNodes on $left.TargetNodeId==$right.NodeId | extend DName = tostring(NodeProperties.rawData.deviceName) | where SourceNodeName has_any(TargetSVGRecipients) | distinct TargetNodeName; DeviceNetworkEvents | where ActionType == "HttpConnectionInspected" | extend ConnectInfo = todynamic(AdditionalFields) | extend HttpHost = ConnectInfo.host | where HttpHost has ".trycloudflare.com" | where DeviceName has_any(TargetSVGdevices)
Explanation
This query is designed to detect a specific type of email-based malware attack that uses SVG files and the trycloudflare.com domain. Here's a simplified breakdown of what the query does:
-
Identify Targeted Email Recipients:
- It looks for email attachments with filenames ending in ".pdf.svg" in inbound emails.
- It joins this information with email events and identity information to find the recipients of these suspicious emails.
- It then lists the unique display names of these recipients.
-
Identify Devices Used by Targeted Recipients:
- It checks which devices the identified recipients can authenticate to, using data from an exposure graph.
- It lists the unique names of these devices.
-
Detect Suspicious Network Activity:
- It examines network events to find HTTP connections inspected by security systems.
- It filters these events to find connections to the trycloudflare.com domain.
- It further narrows down the results to connections made from devices associated with the targeted recipients.
Overall, this query aims to detect potential abuse involving SVG files and trycloudflare.com by identifying suspicious email recipients and monitoring their network activity for connections to a known malicious domain.
Details
Steven Lim
Released: November 21, 2024
Tables
EmailAttachmentInfoEmailEventsIdentityInfoExposureGraphEdgesExposureGraphNodesDeviceNetworkEvents
Keywords
EmailAttachmentInfoEmailEventsIdentityInfoExposureGraphEdgesExposureGraphNodesDeviceNetworkEvents
Operators
letendswithjoinonwheresummarizearg_maxbydistinctextendtostringhas_anyhastodynamic