Query Details
Phishing Campaigns Leveraging Microsoft Forms
Query
// Phishing campaigns leveraging Microsoft Forms // https://www.linkedin.com/posts/activity-7223704172028665858-99AA/ // The below KQL will help you pick up some forms phisherš«” EmailUrlInfo | where Timestamp > ago(1h) | join EmailEvents on NetworkMessageId | extend AuthDetail = parse_json(AuthenticationDetails) | where EmailDirection == "Inbound" | where UrlDomain == "forms.microsoft.com" | where AuthDetail.SPF == "fail" and AuthDetail.DKIM == "fail" and AuthDetail.DMARC == "fail"
Explanation
This KQL query is designed to identify potential phishing campaigns that use Microsoft Forms. Here's a simple summary of what the query does:
- Data Source: It starts by looking at the
EmailUrlInfotable. - Time Filter: It filters the data to include only records from the past hour.
- Join Operation: It joins this data with the
EmailEventstable using theNetworkMessageIdfield to combine related information from both tables. - Extract Authentication Details: It extracts and parses the
AuthenticationDetailsfield into a JSON object for easier access. - Inbound Emails: It filters the results to include only inbound emails.
- Target Domain: It further filters the results to include only emails that contain URLs pointing to the domain
forms.microsoft.com. - Authentication Failures: Finally, it filters the results to include only emails where all three authentication checks (SPF, DKIM, and DMARC) have failed.
In essence, this query helps identify potentially malicious emails that are using Microsoft Forms and have failed all standard email authentication checks, indicating they might be part of a phishing campaign.
Details
Steven Lim
Released: August 2, 2024
Tables
EmailUrlInfoEmailEvents
Keywords
EmailUrlInfoTimestampEmailEventsNetworkMessageIdAuthDetailAuthenticationDetailsEmailDirectionUrlDomainSPFDKIMDMARC
Operators
|>ago()joinonextendparse_json()==and