KQL Search

Query Details

HomeAI ToolsDevice Query

Sneaky 2FA MDO Detection

Query

// Sneaky 2FA MDO Detection
// https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/

let Sneaky2FATable=externaldata(RawData:string)
[h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/Sneaky2FA.txt']
| parse RawData with Sneaky2FADomains:string;
let IOCs =
Sneaky2FATable
| distinct Sneaky2FADomains;
let InboundEmailReceipient =
EmailUrlInfo
| join EmailEvents on NetworkMessageId
| where EmailDirection == "Inbound"
| distinct RecipientEmailAddress;
let InboundEncodedEmailReceipient =
EmailUrlInfo
| join EmailEvents on NetworkMessageId
| where EmailDirection == "Inbound"
| extend EncodeEmail = base64_encode_tostring(RecipientEmailAddress)
| distinct EncodeEmail;
EmailUrlInfo
| join EmailEvents on NetworkMessageId
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| where Url has_any(IOCs) and (Url has_any(InboundEmailReceipient) or Url has_any(InboundEncodedEmailReceipient))

Explanation

This KQL (Kusto Query Language) query is designed to detect a specific type of phishing attack known as "Sneaky 2FA" (Two-Factor Authentication) that uses phishing-as-a-service techniques. Here's a simplified breakdown of what the query does:

  1. Load Suspicious Domains: It retrieves a list of suspicious domains related to the Sneaky 2FA attack from an external data source (a GitHub repository).

  2. Extract Unique Domains: It extracts distinct domains from the loaded data to use as indicators of compromise (IOCs).

  3. Identify Inbound Email Recipients:

    • It identifies unique email addresses that have received inbound emails by joining two tables: EmailUrlInfo and EmailEvents.
    • It also creates a base64-encoded version of these email addresses for further analysis.

  4. Filter and Analyze Emails:

    • It examines inbound emails that have been delivered.
    • It checks if the URLs in these emails match any of the suspicious domains (IOCs).
    • Additionally, it verifies if these URLs contain either the plain or encoded version of the recipient's email address.

The goal of this query is to detect potentially malicious emails that are part of the Sneaky 2FA phishing campaign by looking for specific patterns in email URLs and recipient information.

Details

Steven Lim profile picture

Steven Lim

Released: January 18, 2025

Tables

Sneaky2FATableEmailUrlInfoEmailEvents

Keywords

Sneaky2FAMDODetectionEmailUrlInfoEmailEventsNetworkMessageIdRecipientEmailAddressDeliveryAction

Operators

letexternaldataparsedistinctjoinonwhereextendbase64_encode_tostringhas_any

Actions