Query Details
Emails With O Auth Requests
Query
// Hunt for potential phishing emails that link to a Microsoft OAuth login // OAuth tokens can grant the 3rd party permissions without stealing credentials // Logins take place on login.windows.net or login.microsoftonline.com which is less suspicious EmailUrlInfo | where Url contains "https://login.windows.net/common/oauth2" or Url contains "https://login.microsoftonline.com/consumers/oauth2" | where Url contains "redirect_uri" | join EmailEvents on $left.NetworkMessageId == $right.NetworkMessageId | where EmailDirection == "Inbound"
Explanation
This query is searching for potential phishing emails that contain links to a Microsoft OAuth login. OAuth tokens can give third parties permissions without stealing login credentials. The query filters for emails that have URLs containing "https://login.windows.net/common/oauth2" or "https://login.microsoftonline.com/consumers/oauth2" and also contain "redirect_uri". It then joins the results with email events and filters for inbound emails.
Details
C.J. May
Released: November 8, 2021
Tables
EmailUrlInfoEmailEvents
Keywords
EmailUrlInfo,Url,EmailEvents,NetworkMessageId,EmailDirection
Operators
wherecontainsorjoinon==