Query Details

Phishing Campaigns Leveraging Microsoft Forms

Query

// Phishing campaigns leveraging Microsoft Forms
// https://www.linkedin.com/posts/activity-7223704172028665858-99AA/

// The below KQL will help you pick up some forms phisher🫔

EmailUrlInfo
| where Timestamp > ago(1h)
| join EmailEvents on NetworkMessageId
| extend AuthDetail = parse_json(AuthenticationDetails)
| where EmailDirection == "Inbound"
| where UrlDomain == "forms.microsoft.com"
| where AuthDetail.SPF == "fail" and AuthDetail.DKIM == "fail" and AuthDetail.DMARC == "fail"

// MITRE ATT&CK Mapping

// The KQL query can be mapped to the following MITRE ATT&CK techniques:

// T1566.001 - Phishing: Spearphishing Attachment:
// The query is looking for inbound emails with specific characteristics that could indicate a phishing attempt, especially with failed authentication checks.
// T1071.001 - Application Layer Protocol: Web Protocols:
// The use of URLs in emails, particularly those pointing to forms.microsoft.com, can be indicative of attempts to use web protocols for malicious purposes.
// T1589.002 - Gather Victim Identity Information: Email Addresses:
// The focus on inbound emails and specific domains suggests an attempt to gather or exploit email addresses.
// T1078 - Valid Accounts:
// The failed authentication checks (SPF, DKIM, DMARC) could indicate attempts to use or spoof valid accounts.

Explanation

This KQL query is designed to identify potential phishing attempts using Microsoft Forms. Here's a simplified breakdown:

  1. Data Source: The query examines data from EmailUrlInfo and EmailEvents tables.

  2. Time Frame: It focuses on emails received in the last hour (Timestamp > ago(1h)).

  3. Email Direction: It filters for inbound emails (EmailDirection == "Inbound").

  4. Target Domain: The query specifically looks for emails containing URLs that point to forms.microsoft.com.

  5. Authentication Checks: It checks for emails that fail all three major email authentication protocols: SPF, DKIM, and DMARC (AuthDetail.SPF == "fail", AuthDetail.DKIM == "fail", AuthDetail.DMARC == "fail").

  6. Purpose: By identifying emails that meet these criteria, the query aims to detect phishing campaigns that might be using Microsoft Forms to deceive recipients.

  7. Security Framework: The query is mapped to several MITRE ATT&CK techniques, indicating its relevance to specific types of cyber threats:

    • T1566.001: Phishing through email attachments.
    • T1071.001: Use of web protocols for malicious activities.
    • T1589.002: Gathering or exploiting email addresses.
    • T1078: Attempting to use or spoof valid accounts.

In essence, this query helps security teams identify suspicious emails that could be part of a phishing campaign leveraging Microsoft Forms, especially those that fail standard email authentication checks.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

EmailUrlInfoEmailEvents

Keywords

EmailUrlInfoTimestampNetworkMessageIdAuthenticationDetailsDirectionDomain

Operators

|where>ago()joinonextendparse_json()==and

Actions

GitHub