Query Details
Email Events Find Emailswith Potential Phishing URL
Query
//When Defender for Cloud detects a possible DNS lookup to a phishing domain attempt to find if the URL was part of an email phishing attack
//Data connector required for this query - M365 Defender - Email* tables
//Data connector required for this query - Security Alert (free table that other Defender products send alert info to)
let suspiciousdomains=
SecurityAlert
| where AlertName startswith "Communication with possible phishing domain"
| mv-expand todynamic(Entities)
| extend DomainName = tostring(Entities.DomainName)
| where isnotempty(DomainName)
| distinct DomainName;
EmailEvents
| where EmailDirection == "Inbound"
| project
TimeGenerated,
SenderMailFromAddress,
RecipientEmailAddress,
EmailDirection,
NetworkMessageId
| join kind=inner (EmailUrlInfo) on NetworkMessageId
| project
TimeGenerated,
SenderMailFromAddress,
RecipientEmailAddress,
EmailDirection,
Url,
UrlDomain
| where UrlDomain in~ (suspiciousdomains)Explanation
This query is looking for possible phishing domains by analyzing communication alerts. It retrieves suspicious domain names from the SecurityAlert table and then searches for emails with inbound direction. It joins the EmailUrlInfo table based on the NetworkMessageId and selects relevant columns such as time generated, sender email address, recipient email address, email direction, URL, and URL domain. Finally, it filters the results to include only URLs that match the suspicious domains.
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityAlertEmailEventsEmailUrlInfo
Keywords
Defender,Cloud,DNS,Lookup,Phishing,Domain,URL,Email,Attack,Data,Connector,M365,Security,Alert,Table,Suspicious,Domains,Inbound,Sender,Recipient,Network,Message,ID
Operators
| wherestartswithmv-expandtodynamicextendtostringisnotemptydistinctEmailDirectionprojectjoinkindonin~