Query Details

TTP Detection Rule: Check for Phishing Emails Using IPFS in Phishing Campaigns

TI Feed Ipfs Phishing

Query

//check for phishing emails potentially using ipfs to host malicious content used in phishing campaigns.
let domains = externaldata (data:string)[h@"https://raw.githubusercontent.com/volexity/threat-intel/main/2023/2023-06-28%20POWERSTAR/attachments/ipfs.txt"];
EmailEvents
| where Timestamp > ago (30d)
| join EmailUrlInfo on NetworkMessageId
| where Url has_any (domains) and DeliveryAction !~ "Blocked"

About this query

Explanation

This query is designed to detect phishing emails that use the InterPlanetary File System (IPFS) to host malicious content. IPFS is a decentralized file hosting system that can be used in phishing campaigns to bypass traditional security measures. The query consists of two parts, each tailored for different platforms:

  1. Defender XDR Query: This part of the query checks for phishing emails that might be using IPFS to host malicious content. It looks at email events from the last 30 days and checks if any URLs in the emails match known IPFS-hosted domains. If such URLs are found and the email wasn't blocked, it could indicate a phishing attempt.

  2. Sentinel Query: This part checks for any subsequent connections to IPFS-hosted sites. It looks at network events from the last 30 days to see if there are any connections to the same IPFS-hosted domains identified in the email query. This helps in identifying if a phishing attack is being executed by tracking network activity related to those domains.

Overall, the query aims to identify and track phishing campaigns using IPFS, which is a more sophisticated and harder-to-detect method of phishing.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

EmailEventsEmailUrlInfoDeviceNetworkEvents

Keywords

PhishingEmailsIPFSEmailEventsDeviceNetwork

Operators

externaldataletwherejoinonhas_any!~>ago

MITRE Techniques

Actions

GitHub