Query Details

Storm-0539 AiTM URLs - EmailEvents

STORM 0539 URL Paths Email

Query

let URLs = dynamic([@'/Udlaps/', @'/Usrlop/', @'/adls/index.html', @'/saml2/index.html']);
EmailUrlInfo
| where Url has_any (URLs)
| join kind=inner EmailEvents on NetworkMessageId

About this query

Storm-0539 AiTM URLs - EmailEvents

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1557Adversary-in-the-Middlehttps://attack.mitre.org/techniques/T1557/

Description

Microsoft Threat Intelligence has identified that the following url parts are used by Storm-0539 to deploy AiTM phishing pages:

  • /Udlaps/
  • /Usrlop/
  • /adls/index.html
  • /saml2/index.html

This query lists matches on the parts of the URL if found in emails.

Risk

These URLs lead to adversary-in-the-middle (AiTM) pages that allow Storm-0539 to steal credentials and session tokens.

References

Defender XDR

Sentinel

let URLs = dynamic([@'/Udlaps/', @'/Usrlop/', @'/adls/index.html', @'/saml2/index.html']);
EmailUrlInfo
| where Url has_any (URLs)
| join kind=inner EmailEvents on NetworkMessageId

Explanation

This query is designed to identify potentially malicious emails that contain specific URL patterns associated with a phishing campaign by a group known as Storm-0539. The URLs in question are used to create adversary-in-the-middle (AiTM) phishing pages, which can capture sensitive information like credentials and session tokens.

Here's a simple breakdown of what the query does:

  1. Define Target URLs: It sets up a list of URL parts that are known to be used in phishing attacks by Storm-0539. These include:

    • /Udlaps/
    • /Usrlop/
    • /adls/index.html
    • /saml2/index.html
  2. Search for Matches: It searches through email data to find any emails that contain these URL parts.

  3. Join with Email Events: It combines the results with email event data to provide more context about the emails that contain these URLs.

The purpose of this query is to help security teams quickly identify and respond to phishing threats by highlighting emails that may be part of this malicious activity.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: January 18, 2026

Tables

EmailUrlInfoEmailEvents

Keywords

EmailUrlInfoEventsNetworkMessageId

Operators

letdynamichas_anyjoinon

MITRE Techniques

Actions

GitHub