KQL Search

Query Details

HomeAI ToolsDevice Query

Email MDO Phishing Detection

Query

name : MDO detection with Email Phish
description : 
- These queries are going to hunt for - Phish mails with Microsoft Defender for Office 365
- Case1 - MDO detection list 
- Case2 - Filter MDO detection based on detection methods
table : 
- EmailEvents
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table?view=o365-worldwide
query : |
    //Case1 - MDO detection list 
    EmailEvents
    | where Timestamp > ago(7d)
    | where isnotempty(DetectionMethods)
    | extend MDO_detection = parse_json(DetectionMethods)
    | where MDO_detection.Phish in 
      (
       @'["URL detonation reputation"]',
       @'["URL detonation"]',
       @'["Impersonation user"]',
       @'["Impersonation domain"]',
       @'["Mailbox intelligence impersonation"]',
       @'["File detonation"]',
       @'["File detonation reputation"]',
       @'["Campaign"]'
      )
    | project Timestamp, NetworkMessageId, Subject, SenderFromAddress, RecipientEmailAddress, DeliveryLocation, MDO_detection.Phish


    //Case2 - Filter MDO detection based on detection methods
    EmailEvents
    | where Timestamp > ago(7d)
    | where isnotempty(DetectionMethods)
    | extend MDO_detection = parse_json(DetectionMethods)
    | where MDO_detection.Phish == @'["URL detonation reputation"]'
    //| where MDO_detection.Phish == @'["URL detonation"]'
    //| where MDO_detection.Phish == @'["Impersonation user"]'
    //| where MDO_detection.Phish == @'["Impersonation domain"]'
    //| where MDO_detection.Phish == @'["Mailbox intelligence impersonation"]'
    //| where MDO_detection.Phish == @'["File detonation"]'
    //| where MDO_detection.Phish == @'["File detonation reputation"]'
    //| where MDO_detection.Phish == @'["Campaign"]'
    | project Timestamp, NetworkMessageId, Subject, SenderFromAddress, RecipientEmailAddress, DeliveryLocation, MDO_detection.Phish

Explanation

The query is designed to search for phishing emails using Microsoft Defender for Office 365.

In Case 1, the query retrieves a list of phishing emails detected by Microsoft Defender for Office 365 in the past 7 days. It filters the results based on specific detection methods such as URL detonation reputation, URL detonation, impersonation user, impersonation domain, mailbox intelligence impersonation, file detonation, file detonation reputation, and campaign. The query then projects the timestamp, network message ID, subject, sender address, recipient address, delivery location, and the specific phishing detection method.

In Case 2, the query filters the phishing emails based on a specific detection method, which is URL detonation reputation in this case. The other detection methods are commented out but can be uncommented and used individually to filter the results further. The query then projects the same set of fields as in Case 1.

Details

Kijo Girardi profile picture

Kijo Girardi

Released: February 2, 2023

Tables

EmailEvents

Keywords

EmailEvents,Timestamp,DetectionMethods,MDO_detection,Phish,URLdetonationreputation,URLdetonation,Impersonationuser,Impersonationdomain,Mailboxintelligenceimpersonation,Filedetonation,Filedetonationreputation,Campaign,NetworkMessageId,Subject,SenderFromAddress,RecipientEmailAddress,DeliveryLocation

Operators

toscalar()arg_max()count()mv-expand

Actions