KQL Search

Query Details

HomeAI ToolsDevice Query

Phishing By Design Two Step Attacks Using Vsdx Files

Query

// Phishing by Design: Two-Step Attacks Using .vsdx Files

// A recent blog from Perception Point details a sophisticated phishing attack using Microsoft Visio files hosted on SharePoint. Attackers embed malicious URLs in these files, which are sent via compromised email accounts with attached .eml files. Victims are tricked into clicking these links, leading to fake Microsoft login pages designed to steal credentials. This method leverages trusted platforms to evade detection, highlighting the need for advanced security measures. The Perception Point blog link has been shared in the comment section for awareness.
// I have crafted a precise KQL using Microsoft Defender for Office 365 and Endpoint to detect such abuse scenarios, helping defenders mitigate the risk of these two-step attacks that leverage trusted platforms to evade detection.  The KQL code can be downloaded from my SlimKQL GitHub Repository, which is featured on my LinkedIn profile. (Search for “Phishing by Design Two-Step Attacks Using vsdx Files”)

let WhiteListSharepointDomain = dynamic(["XXX.sharepoint.com"]);
let EMLSharepointDomain =
EmailAttachmentInfo 
| where FileName endswith ".eml" or FileName endswith ".msg"
| join EmailEvents on NetworkMessageId
| where EmailDirection == "Inbound"
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "Attachment"
| extend URLDomain = tostring(parse_url(Url).Host)
| where URLDomain has ".sharepoint.com"
| where not (URLDomain has_any (WhiteListSharepointDomain))
| distinct URLDomain;
//Consolidated all external sharepoint domains from all .eml .msg attachment
DeviceNetworkEvents
| where ActionType == @"HttpConnectionInspected"
| extend Host = parse_json(AdditionalFields)["host"]
| extend Direction = parse_json(AdditionalFields)["direction"]
| where Direction == "Out" and Host has_any(EMLSharepointDomain)
// MDE Endpoint click on external sharepoint links that was embedded in .eml .msg attachment

// T1566.001 - Phishing: Spearphishing Attachment:

Explanation

This KQL query is designed to detect a specific type of phishing attack that uses Microsoft Visio files (.vsdx) hosted on SharePoint. Here's a simplified breakdown of what the query does:

  1. Whitelist Setup: It starts by defining a list of trusted SharePoint domains that are considered safe.

  2. Identify Malicious Emails: The query looks for email attachments with filenames ending in ".eml" or ".msg". These are email message files that might contain malicious content.

  3. Join Email Data: It combines data from email attachments and email events to find inbound emails that have URLs in their attachments.

  4. Filter SharePoint URLs: It extracts the domain from these URLs and checks if they are hosted on SharePoint. It then filters out any URLs that belong to the trusted domains listed earlier.

  5. Identify External SharePoint Domains: The query collects all unique external SharePoint domains found in the email attachments.

  6. Monitor Device Network Events: It then looks at device network events to find instances where a device has made an outbound connection to any of these suspicious SharePoint domains.

  7. Detect Phishing Activity: The goal is to identify when a device clicks on a potentially malicious SharePoint link that was embedded in an email attachment, which could lead to phishing attacks.

Overall, this query helps security defenders detect and mitigate phishing attacks that use trusted platforms like SharePoint to bypass traditional security measures.

Details

Steven Lim profile picture

Steven Lim

Released: November 12, 2024

Tables

EmailAttachmentInfoEmailEventsEmailUrlInfoDeviceNetworkEvents

Keywords

EmailAttachmentDeviceNetworkEventsUrlSharepoint

Operators

letdynamicendswithjoinonwhereextendtostringparse_urlhashas_anydistinctparse_json

Actions