Hunt For High Volume Phish ISP

//During my routine threat hunting, I observed that the ISP "kuroit limited," which operates in the USA, London, and Amsterdam, is sending a significant number of malicious emails from gmail.com domains. This is something defenders should monitor and filter as necessary.🤝 CloudAppEvents | where Application == "Microsoft Exchange Online" | where ActionType == "TIMailData-Inline" | where ActivityType == "Securityevent" | where ISP == "kuroit limited" | extend CAInternetMessageId = tostring(parse_json(RawEventData)["InternetMessageId"]) | join EmailEvents on $left.CAInternetMessageId == $right.InternetMessageId | where EmailDirection == "Inbound"

Explanation

This query is designed to identify and monitor potentially malicious emails originating from the ISP "kuroit limited," which operates in the USA, London, and Amsterdam. Here's a simplified breakdown of what the query does:

Data Source: It starts by looking at events from Microsoft Exchange Online, specifically focusing on cloud application events.
Filtering Criteria:
- It filters for events where the action type is "TIMailData-Inline" and the activity type is "Securityevent." This likely targets specific security-related email events.
- It further narrows down the results to those involving the ISP "kuroit limited."
Data Extraction:
- It extracts the "InternetMessageId" from the raw event data, which uniquely identifies each email message.
Joining Data:
- The query joins this data with another dataset called "EmailEvents" using the "InternetMessageId" to correlate related information about the emails.
Inbound Emails:
- Finally, it filters the results to include only inbound emails, meaning emails that are coming into the organization.

The overall goal of this query is to help defenders monitor and potentially filter out malicious emails coming from the specified ISP, which are using gmail.com domains, as part of a proactive threat hunting effort.

KQL Search

Hunt For High Volume Phish ISP

Query

Explanation

Details

Actions