MDO Hunting - Lookalike / Typosquatting Domains in URLs
MDO 09 Lookalike Typosquat Domains
Query
let Brand = "contoso";
let LegitSuffix = "contoso.com";
EmailUrlInfo
| where Timestamp > ago(7d)
| where UrlDomain has Brand and UrlDomain !endswith LegitSuffix
| summarize Messages = dcount(NetworkMessageId), Urls = make_set(Url, 10),
FirstSeen = min(Timestamp), LastSeen = max(Timestamp)
by UrlDomain
| sort by Messages descExplanation
This query is designed to detect suspicious domains that mimic your brand's legitimate domain in email URLs, which is a common tactic used by attackers known as typosquatting or lookalike domains. Here's a simple breakdown of what the query does:
-
Purpose: It identifies domains in email URLs that look similar to your brand's domain but are not the actual domain. This can help in spotting potential phishing attempts or brand impersonation.
-
Customization: You can customize the query by specifying your brand name (e.g., "contoso") and your legitimate domain suffix (e.g., "contoso.com").
-
Data Source: The query uses data from the
EmailUrlInfodata type, which is part of theMicrosoftThreatProtectionconnector. -
Time Frame: It looks at email URLs from the past 7 days.
-
Logic:
- It checks if the domain in the URL contains your brand name but does not end with your legitimate domain suffix.
- It then counts the number of messages containing these suspicious domains and lists up to 10 unique URLs for each domain.
- It also records the first and last time these domains were seen in the data.
-
Output: The results are sorted by the number of messages containing these suspicious domains, with the most frequent ones listed first.
-
Actionable Insights: The query suggests that you consider blocking these suspicious domains and adding them to a brand-abuse monitoring list to prevent potential phishing attacks.
Overall, this query helps in identifying and mitigating risks associated with typosquatting and lookalike domains in email communications.
