TI Open Phish Free Feed Hits In Email Url Info
Query
//OpenPhish Free Feed Hits in EmailUrlInfo
let OpenPhish = externaldata(Url: string)["https://openphish.com/feed.txt"];
EmailUrlInfo
| where UrlDomain has_any(OpenPhish)
| join EmailEvents on NetworkMessageIdExplanation
This query looks for any URLs in email messages that match the OpenPhish list of known phishing websites. It then joins this information with email events data.
Details

Benjamin Zulliger
Released: June 7, 2024
Tables
EmailUrlInfoEmailEvents
Keywords
EmailUrlInfoUrlDomainOpenPhishEmailEventsNetworkMessageId
Operators
has_anyjoin