KQL Search

Query Details

HomeAI ToolsDevice Query

The Hunt For Blob Phishing Mail Domain

Query

// 𝗧𝗵𝗲 𝗛𝘂𝗻𝘁 𝗳𝗼𝗿 𝗕𝗹𝗼𝗯 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗠𝗮𝗶𝗹 𝗗𝗼𝗺𝗮𝗶𝗻

// In some phishing kit, the attacker generated the landing page in a blob to remain stealthy and all of these emails usually passes the SPF/DKIM/DMNARC/CompAuth. However the blob URL has a URL detonation reputation. Using the below KQL to reverse find all the malicious mail domains that are sending blob phishing URLs and block these mail domains at the Tenant Block List.

EmailUrlInfo
| where TimeGenerated > ago(90d)
| where Url contains "web.core.windows.net/"
| join EmailEvents on NetworkMessageId
| where EmailDirection == "Inbound"
| where DeliveryAction == "Blocked"
| summarize Count=count() by SenderFromDomain
| sort by Count desc

Explanation

This KQL query is designed to identify and block malicious email domains that are sending phishing emails with URLs hosted on Azure Blob Storage. Here's a simple breakdown of what the query does:

  1. Data Source: The query starts by looking at the EmailUrlInfo table, which contains information about URLs found in emails.

  2. Time Filter: It filters the data to include only records from the last 90 days.

  3. URL Filter: It specifically looks for URLs that contain "web.core.windows.net/", which is indicative of Azure Blob Storage URLs often used in phishing attacks.

  4. Join with Email Events: The query joins this data with the EmailEvents table using the NetworkMessageId to correlate URL information with specific email events.

  5. Inbound Emails: It filters for emails that were received (inbound).

  6. Blocked Emails: It further filters to include only those emails that were blocked, indicating they were identified as potentially harmful.

  7. Summarize by Domain: The query summarizes the data by counting the number of blocked emails for each sender domain (SenderFromDomain).

  8. Sort: Finally, it sorts the results in descending order based on the count, showing the domains sending the most blocked phishing emails at the top.

The purpose of this query is to help identify domains that are frequently sending phishing emails with malicious URLs, so they can be added to a Tenant Block List to prevent future attacks.

Details

Steven Lim profile picture

Steven Lim

Released: October 15, 2024

Tables

EmailUrlInfoEmailEvents

Keywords

EmailUrlInfoTimeGeneratedUrlNetworkMessageIdEmailEventsEmailDirectionDeliveryActionCountSenderFromDomain

Operators

wherecontainsjoinonsummarizebysortdescago

Actions