KQL Search

Query Details

TI Open Phish Free Feed Hits In Email Url Info

Query

//OpenPhish Free Feed Hits in EmailUrlInfo
let OpenPhish = externaldata(Url: string)["https://openphish.com/feed.txt"];
EmailUrlInfo
| where UrlDomain has_any(OpenPhish)
| join EmailEvents on NetworkMessageId

Explanation

This query looks for any URLs in email messages that match the OpenPhish list of known phishing websites. It then joins this information with email events data.

Details

Benjamin Zulliger

Released: June 7, 2024

Tables

EmailUrlInfoEmailEvents

Keywords

EmailUrlInfo,UrlDomain,OpenPhish,EmailEvents,NetworkMessageId

Operators

has_anyjoin

KQL Search

TI Open Phish Free Feed Hits In Email Url Info

Query

Explanation

Details

Actions