Query Details

Potential Adversary in the middle Phishing

Potential Ai TM Phishing

Query

AADSignInEventsBeta
| where Application == "OfficeHome"
| where AccountUpn has "@"
| where isempty(AadDeviceId)
| summarize RiskLevels = make_set(RiskLevelDuringSignIn), ResultTypes = make_set(ErrorCode), IPs = make_set(IPAddress), Useragents = make_set(UserAgent) by CorrelationId, AccountUpn, IPAddress
// Optional to only filter on events with a RiskLevel during the sign-in
//| where RiskLevels has_any (10, 50, 100)

About this query

Explanation

This query is designed to identify potential phishing attempts where an attacker might be intercepting communications between a user and a service, a technique known as "Adversary-in-the-Middle" (AiTM). The focus is on detecting suspicious sign-in activities related to the "OfficeHome" application, which is sometimes used in phishing kits.

Here's a simplified breakdown of the query:

  1. Target Application: The query looks for sign-in events specifically related to the "OfficeHome" application.

  2. User Identification: It filters for users whose email addresses contain the "@" symbol, indicating a valid email format.

  3. Device Identification: It checks for sign-ins from devices that do not have a known device ID (isempty(deviceId)). This suggests the device is not recognized or onboarded by the organization, which is suspicious.

  4. Data Summarization: The query collects and summarizes several pieces of information for each sign-in event:

    • Risk Levels: The risk level associated with the sign-in attempt.
    • Result Types: The outcome of the sign-in attempt (e.g., successful or failed).
    • IP Addresses: The IP addresses from which the sign-in attempts were made.
    • User Agents: The user agent strings, which provide information about the browser or application used for the sign-in.
  5. Optional Filtering: The query can be further refined to only include sign-in events that have a specific risk level during the sign-in process (e.g., low, medium, high).

The goal of this query is to flag potentially malicious sign-in attempts that could indicate a phishing attack, especially when they involve unknown devices trying to access organizational resources.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 2, 2024

Tables

AADSignInEventsBetaSigninLogs

Keywords

AADSignInEventsBetaApplicationAccountUpnAadDeviceIdRiskLevelDuringSignInErrorCodeIPAddressUserAgentCorrelationIdSigninLogsAppDisplayNameUserPrincipalNameDeviceDetailDeviceIdDisplayNameResultType

Operators

|wherehasisemptysummarizemake_setbyextendtostring

MITRE Techniques

Actions

GitHub