Query Details
STORM 0539 URL Paths Email
Query
# Storm-0539 AiTM URLs - EmailEvents ## Query Information #### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1557 | Adversary-in-the-Middle | https://attack.mitre.org/techniques/T1557/ | #### Description Microsoft Threat Intelligence has identified that the following url parts are used by Storm-0539 to deploy AiTM phishing pages: - /Udlaps/ - /Usrlop/ - /adls/index.html - /saml2/index.html This query lists matches on the parts of the URL if found in emails. #### Risk These URLs lead to adversary-in-the-middle (AiTM) pages that allow Storm-0539 to steal credentials and session tokens. #### References - https://twitter.com/MsftSecIntel/status/1735351713907773711 ## Defender For Endpoint ```KQL let URLs = dynamic([@'/Udlaps/', @'/Usrlop/', @'/adls/index.html', @'/saml2/index.html']); EmailUrlInfo | where Url has_any (URLs) | join EmailEvents on NetworkMessageId ``` ## Sentinel ```KQL let URLs = dynamic([@'/Udlaps/', @'/Usrlop/', @'/adls/index.html', @'/saml2/index.html']); EmailUrlInfo | where Url has_any (URLs) | join EmailEvents on NetworkMessageId ```
Explanation
This query is used to identify emails that contain specific URLs that are associated with Storm-0539's deployment of phishing pages. The URLs include "/Udlaps/", "/Usrlop/", "/adls/index.html", and "/saml2/index.html". The purpose of this query is to detect and prevent the theft of credentials and session tokens by Storm-0539.
Details
Bert-Jan Pals
Released: December 19, 2023
Tables
EmailUrlInfoEmailEvents
Keywords
Devices,Intune,User
Operators
letdynamic@EmailUrlInfowherehas_anyjoin