Query Details

Spamhaus 10 Most Abused Tlds

Query

let SpamhausTLD = externaldata(TLD: string)[@"https://raw.githubusercontent.com/cyb3rmik3/Hunting-Lists/main/spamhaus-abused-tlds.csv"] with (format="csv", ignoreFirstRecord=True);
let Timeframe = 1d; // Choose the best timeframe for your investigation
let SMFDEvents = EmailEvents
 | where Timestamp > ago(Timeframe)
 | where EmailDirection == "Inbound"
 | where SenderMailFromDomain has_any (SpamhausTLD)
 | project Timestamp, NetworkMessageId, SenderMailFromAddress, SenderFromAddress, SenderIPv4, RecipientEmailAddress, DeliveryAction, ThreatTypes, EmailAction, EmailActionPolicy, UserLevelAction, UserLevelPolicy, LatestDeliveryLocation, LatestDeliveryAction;
let SFDEvents = EmailEvents
 | where Timestamp > ago(Timeframe)
 | where EmailDirection == "Inbound"
 | where SenderFromDomain has_any (SpamhausTLD)
 | project Timestamp, NetworkMessageId, SenderMailFromAddress, SenderFromAddress, SenderIPv4, RecipientEmailAddress, DeliveryAction, ThreatTypes, EmailAction, EmailActionPolicy, UserLevelAction, UserLevelPolicy, LatestDeliveryLocation, LatestDeliveryAction;
 (union isfuzzy=true
     (SMFDEvents),
     (SFDEvents)
    | summarize SenderMailFromAddresses = make_set(SenderMailFromAddress), SenderFromAddresses = make_set(SenderFromAddress), TimeReceived = arg_max(Timestamp, *) by NetworkMessageId    
    | project-reorder TimeReceived, NetworkMessageId, SenderMailFromAddress, SenderFromAddress, SenderIPv4, RecipientEmailAddress, DeliveryAction, ThreatTypes, EmailAction, EmailActionPolicy, UserLevelAction, UserLevelPolicy, LatestDeliveryLocation, LatestDeliveryAction
    | sort by TimeReceived
)

About this query

Spamhaus 10 Most Abused TLDs

Description

The following query will hunt for inbound emails with SenderMailFromDomain and SenderFromDomain that match Spamhaus 10 Most Abused Top Level Domains.

References

Microsoft Defender XDR

MITRE ATT&CK Mapping

  • Tactic: Initial Access
  • Technique ID: T1566
  • Phishing

Source

Versioning

VersionDateComments
1.021/01/2024Initial publish

Explanation

This query is designed to identify potentially malicious inbound emails by checking if the domains of the senders match the top 10 most abused top-level domains (TLDs) as identified by Spamhaus. Here's a simplified breakdown of what the query does:

  1. Data Source: It uses a list of the most abused TLDs from Spamhaus, which is fetched from an external CSV file hosted on GitHub.

  2. Timeframe: The query looks at email events from the past day (1 day).

  3. Email Filtering:

    • It examines inbound emails where either the "SenderMailFromDomain" or "SenderFromDomain" matches any of the TLDs in the Spamhaus list.
    • It captures various details about these emails, such as the sender's address, recipient's address, sender's IP, and any actions or policies applied to the email.
  4. Data Processing:

    • It combines results from two checks (one for each domain type) into a single dataset.
    • It summarizes the data to list unique sender addresses and the most recent time each email was received, organized by the email's network message ID.
    • The results are sorted by the time the emails were received.
  5. Purpose: This query helps in identifying phishing attempts or other malicious activities by flagging emails from domains known to be frequently abused.

  6. Security Context: It maps to the MITRE ATT&CK framework under the "Initial Access" tactic, specifically focusing on the "Phishing" technique (T1566).

In essence, this query is a tool for security analysts to detect and investigate potentially harmful emails based on known risky domains.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: January 21, 2024

Tables

EmailEvents

Keywords

SpamhausTLDEmailEventsSenderMailFromDomainTimestampNetworkMessageIdAddressIPv4RecipientDeliveryActionThreatTypesPolicyUserLevelLatestLocationTimeReceived

Operators

letexternaldatawithagowherehas_anyprojectunionisfuzzysummarizemake_setarg_maxproject-reordersort by

MITRE Techniques

Actions

GitHub