TI Phishing Army Hit In Email Url Info
Query
//PhishingArmy Free Feed Hits in EmailUrlInfo
let PhishingArmyFeed = externaldata(Domain: string)[@"https://phishing.army/download/phishing_army_blocklist.txt"] with (format="txt", ignoreFirstRecord=True)
| project Domain = tolower(Domain)
| where Domain !startswith "#";
EmailUrlInfo
| join kind=inner PhishingArmyFeed on $left.Url == $right.Domain
| join EmailEvents on NetworkMessageIdExplanation
This query is designed to identify potential phishing threats in email URLs by using an external phishing domain list. Here's a simplified breakdown:
-
Load Phishing Domain List: The query first retrieves a list of phishing domains from an external source (Phishing Army's blocklist) and processes it to ensure all domain names are in lowercase. It also skips any lines that start with a "#" as these are likely comments or non-relevant data.
-
Filter Email URLs: It then examines email URL information (from a dataset called
EmailUrlInfo) to find URLs that match any of the domains in the phishing list. -
Correlate with Email Events: Finally, it correlates these matched URLs with email events using a common identifier (
NetworkMessageId) to provide context about the emails that contain these potentially malicious URLs.
In summary, this query helps identify emails that contain URLs from a known phishing domain list, potentially flagging them as phishing attempts.
Details

Benjamin Zulliger
Released: November 10, 2024
Tables
Keywords
Operators