Query Details
MDO Enhancing Email Security With NRD Filtering
Query
// DefenderXDR Custom Detection Rule // Newly Registered Domains (NRD) A daily updated list of newly registered domains from the past 14 and 30 days // All inbound email URL domains scanned against NRD, if found move to junk first wait for analyst further triage let NRDTable=externaldata(RawData:string) [h'https://raw.githubusercontent.com/xRuffKez/NRD/refs/heads/main/lists/30-day_phishing/domains-only/nrd-phishing-30day.txt'] | parse RawData with NRD:string; EmailUrlInfo | where Timestamp > ago(1h) | join EmailEvents on NetworkMessageId | where EmailDirection == "Inbound" and DeliveryAction != "Blocked" | join NRDTable on $left.UrlDomain == $right.NRD // MITRE ATT&CK Technique // Acquire Infrastructure: Domains technique, specifically T1583.0011
Explanation
This query is part of a custom detection rule for DefenderXDR, designed to identify potentially malicious emails based on newly registered domains (NRDs). Here's a simplified breakdown of what the query does:
-
NRD Data Source: It retrieves a list of newly registered domains from an external data source, specifically a GitHub repository containing domains registered in the past 30 days.
-
Email Data Filtering: It examines email data from the last hour, focusing on inbound emails that were not blocked.
-
Domain Matching: It checks if the domain of any URLs in these emails matches any domain in the NRD list.
-
Action: If a match is found, the email is moved to the junk folder for further analysis by an analyst.
-
Security Context: The query references a specific MITRE ATT&CK technique, "Acquire Infrastructure: Domains" (T1583.0011), indicating that this process is part of a broader strategy to detect and mitigate threats involving newly registered domains.
Details
Steven Lim
Released: October 17, 2024
Tables
Keywords
Operators