KQL Search

Query Details

HomeAI ToolsDevice Query

Microsoft Phishing Subdomain Detection

Query

//This query detects phishing domains using Microsoft in subdomain
//Excludes legitimate Microsoft domains
let MSFT_Domains = externaldata(Url:string)[@"https://raw.githubusercontent.com/HotCakeX/MicrosoftDomains/main/Microsoft%20Domains.txt"] with (format="csv");
let RemoteUrl = "microsoft-microsoft-microsofts[.]ecomademadeiras[.]com.br";
DeviceNetworkEvents //print replace_string(RemoteUrl,'[.]','.') //to test
| where isnotempty(RemoteUrl) //Clean Up, alternatively use a function ,parse_url did not help :(
| extend Url = replace_string(RemoteUrl,'http://','')
| extend Url = split(replace_string(Url,'https://',''),'/')[0]
| extend Url = split(Url,':')[0] //remove Ports
| extend Domain_split= split(Url,'.') //Split Out
| where strcat(Domain_split[-2],'.',Domain_split[-1]) !in (MSFT_Domains) //Microsoft as domain, decent way to cut noise but not perfect will not catch function apps/sharepoints being abused
| where Url has "microsoft"
| summarize by tostring(Domain_split),tostring(Url), RemoteUrl
| where Url <> "admin.microsoft.exchange.com" //supplement whitelist

Explanation

This query is designed to detect potential phishing domains that misuse the word "Microsoft" in their subdomains while excluding legitimate Microsoft domains. Here's a simplified breakdown of what the query does:

  1. Load Legitimate Microsoft Domains: It imports a list of legitimate Microsoft domains from an external CSV file hosted on GitHub.

  2. Define a Test URL: It sets a specific URL (microsoft-microsoft-microsofts.ecomademadeiras.com.br) as a test case to analyze.

  3. Process Network Events: It looks at network events, specifically focusing on URLs.

  4. Clean and Parse URLs:

    • It removes 'http://' and 'https://' prefixes from URLs.
    • It strips out any port numbers.
    • It splits the URL into parts based on periods ('.') to isolate different sections of the domain.

  5. Filter Out Legitimate Domains:

    • It checks if the main domain (the last two parts of the split URL) is not in the list of legitimate Microsoft domains.
    • It ensures the URL contains the word "microsoft" to focus on potentially malicious uses of the brand name.

  6. Summarize Results:

    • It groups the results by the split domain parts and the original URL.
    • It excludes a specific URL (admin.microsoft.exchange.com) from the results, treating it as a legitimate case.

In essence, this query helps identify suspicious URLs that might be attempting to impersonate Microsoft by using the brand name in subdomains, while filtering out known legitimate Microsoft domains to reduce false positives.

Details

Jay Kerai profile picture

Jay Kerai

Released: November 10, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEvents

Operators

externaldatawithletprintreplace_stringisnotemptywhereextendsplitstrcat!inhassummarizebytostring<>

Actions