Spamhaus 10 Most Abused Tlds

# Spamhaus 10 Most Abused TLDs ### Description The following query will hunt for inbound emails with SenderMailFromDomain and SenderFromDomain that match Spamhaus 10 Most Abused Top Level Domains. ### References - https://www.spamhaus.org/statistics/tlds/ - https://github.com/cyb3rmik3/Hunting-Lists/ ### Microsoft Defender XDR ``` let SpamhausTLD = externaldata(TLD: string)[@"https://raw.githubusercontent.com/cyb3rmik3/THunting-Lists/blob/main/spamhaus-abused-tlds.csv"] with (format="csv", ignoreFirstRecord=True); let Timeframe = 1d; // Choose the best timeframe for your investigation let SMFDEvents = EmailEvents | where Timestamp > ago(Timeframe) | where EmailDirection == "Inbound" | where SenderMailFromDomain has_any (SpamhausTLD) | project Timestamp, NetworkMessageId, SenderMailFromAddress, SenderFromAddress, SenderIPv4, RecipientEmailAddress, DeliveryAction, ThreatTypes, EmailAction, EmailActionPolicy, UserLevelAction, UserLevelPolicy, LatestDeliveryLocation, LatestDeliveryAction; let SFDEvents = EmailEvents | where Timestamp > ago(Timeframe) | where EmailDirection == "Inbound" | where SenderFromDomain has_any (SpamhausTLD) | project Timestamp, NetworkMessageId, SenderMailFromAddress, SenderFromAddress, SenderIPv4, RecipientEmailAddress, DeliveryAction, ThreatTypes, EmailAction, EmailActionPolicy, UserLevelAction, UserLevelPolicy, LatestDeliveryLocation, LatestDeliveryAction; (union isfuzzy=true (SMFDEvents), (SFDEvents) | summarize SenderMailFromAddresses = make_set(SenderMailFromAddress), SenderFromAddresses = make_set(SenderFromAddress), TimeReceived = arg_max(Timestamp, *) by NetworkMessageId | project-reorder TimeReceived, NetworkMessageId, SenderMailFromAddress, SenderFromAddress, SenderIPv4, RecipientEmailAddress, DeliveryAction, ThreatTypes, EmailAction, EmailActionPolicy, UserLevelAction, UserLevelPolicy, LatestDeliveryLocation, LatestDeliveryAction | sort by TimeReceived ) ``` ### MITRE ATT&CK Mapping - Tactic: Initial Access - Technique ID: T1566 - [Phishing](https://attack.mitre.org/techniques/T1566/) ### Source ### Versioning | Version | Date | Comments | | ------------- |---------------| ----------------------------------| | 1.0 | 21/01/2024 | Initial publish |

Explanation

This query is designed to search for inbound emails that have sender domains matching the top 10 most abused top-level domains (TLDs) according to Spamhaus. It retrieves the relevant TLDs from a CSV file hosted on GitHub, sets a timeframe for the investigation, and then searches for emails with sender domains matching the TLDs. The query collects various attributes of the matching emails and sorts them by the time they were received. The purpose of this query is to identify potential phishing emails for further investigation.

Details

Michalis Michalos

Released: January 21, 2024

Tables

EmailEvents

Keywords

Spamhaus,TLD,SenderMailFromDomain,SenderFromDomain,EmailEvents,Timestamp,EmailDirection,SenderMailFromAddress,SenderFromAddress,SenderIPv4,RecipientEmailAddress,DeliveryAction,ThreatTypes,EmailAction,EmailActionPolicy,UserLevelAction,UserLevelPolicy,LatestDeliveryLocation,LatestDeliveryAction,SMFDEvents,SFDEvents,NetworkMessageId,TimeReceived

Operators

externaldataletwithformatignoreFirstRecordwhereagohas_anyprojectunionisfuzzysummarizemake_setbyproject-reordersort

KQL Search