Query Details

The Hunt For QR Phisher

Query

// The Hunt for QR Phisher
// https://www.linkedin.com/posts/0x534c_defenderxdr-qrcode-phishing-activity-7180838667928678400-72U-/

// 1. Determine the most frequently used QR-Code for phishing

EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Inbound"
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "QRCode"
| where LatestDeliveryAction == "Blocked"
| where ThreatTypes contains "phish"
| summarize Count=count() by UrlDomain
| sort by Count desc

// 2. Determine the mail domains or IP addresses associated with QR Phisher

EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Inbound"
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "QRCode"
| where LatestDeliveryAction == "Blocked"
| where ThreatTypes contains "phish"
| where UrlDomain contains "wap.lovetothenations.org"
| distinct SenderMailFromDomain

// Visualize QR-Phishing Attack with ADX Interactive Map

EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Inbound"
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "QRCode"
| where LatestDeliveryAction == "Blocked"
| where ThreatTypes contains "phish"
| project SenderIPv4 

//From ADX (Azure Data Explorer) import the IPaddress.csv into a newly created Table called QRPhish, run the below KQL query

QRPhish
| extend ip_location=geo_info_from_ip_address(SenderIPv4)
| parse ip_location with "latitude\":" latitude ",\"longitude\":" longitude "}" blank

// Hunting for QR Code AiTM Phishing

let AnomalousTokenRequestId=
SecurityAlert
| where AlertName == "Anomalous Token"
| mv-expand todynamic(Entities)
| project Entities
| extend RequestId = tostring(Entities.RequestId)
| distinct RequestId;
let UPNAnomalousToken=
AADUserRiskEvents
| where RequestId has_any(AnomalousTokenRequestId)
| where DetectionTimingType == "realtime"
| where RiskLevel == "medium" or RiskLevel == "high"
| where RiskState == "atRisk"
| distinct UserPrincipalName;
EmailUrlInfo
| where UrlLocation == "QRCode"
| join EmailEvents on NetworkMessageId
| where EmailDirection == "Inbound"
| where RecipientEmailAddress has_any(UPNAnomalousToken)

// MITRE ATT&CK Mapping

// T1566.002: Phishing: Spearphishing Link
// T1204.001: User Execution: Malicious Link
// T1590.005: Gather Victim Network Information: IP Addresses
// T1592.001: Gather Victim Host Information: IP Address
// T1071.001: Application Layer Protocol: Web Protocols
// T1589.002: Gather Victim Network Information: Email Addresses
// T1078.003: Valid Accounts: Cloud Accounts

Explanation

This KQL query is designed to identify and analyze phishing attempts that use QR codes in emails. Here's a simplified breakdown of what each part of the query does:

  1. Identify the Most Frequently Used QR Code for Phishing:

    • The query looks at inbound emails from the past 30 days.
    • It filters for emails where a QR code was used in the URL and the email was blocked due to phishing threats.
    • It counts how often each domain appears in these blocked emails and sorts them to find the most frequently used domains.
  2. Identify Mail Domains or IP Addresses Associated with QR Phisher:

    • Similar to the first part, it focuses on inbound emails with blocked QR code URLs.
    • It specifically looks for emails associated with the domain "wap.lovetothenations.org" and lists the distinct sender domains.
  3. Visualize QR-Phishing Attacks with an Interactive Map:

    • This part extracts the sender's IP addresses from the blocked phishing emails.
    • It uses these IP addresses to create a geographical visualization of where the phishing attacks might be originating from.
  4. Import IP Address Data for Further Analysis:

    • It suggests importing IP address data into a table called QRPhish.
    • The query then extracts latitude and longitude information from these IP addresses for mapping purposes.
  5. Hunt for QR Code AiTM (Adversary-in-the-Middle) Phishing:

    • It identifies anomalous token requests from security alerts.
    • It cross-references these with user risk events to find users at medium or high risk.
    • It then checks if any inbound emails with QR codes were sent to these at-risk users.
  6. MITRE ATT&CK Mapping:

    • The query maps the identified phishing activities to specific MITRE ATT&CK tactics and techniques, such as spearphishing links, malicious link execution, and gathering victim network information.

Overall, this query is a comprehensive approach to detecting, analyzing, and visualizing phishing attacks that utilize QR codes, providing insights into the domains and IP addresses involved, and mapping these activities to known cybersecurity frameworks.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

EmailEventsEmailUrlInfoQRPhishSecurityAlertAADUserRiskEvents

Keywords

EmailEventsEmailUrlInfoNetworkMessageIdUrlDomainSenderMailFromDomainSenderIPv4QRPhishSecurityAlertAADUserRiskEventsUserPrincipalNameRecipientEmailAddressAnomalousTokenRequestIdUPNAnomalousTokenTimestampEmailDirectionUrlLocationLatestDeliveryActionThreatTypesRequestIdRiskLevelRiskStateAlertNameDetectionTimingTypeLatitudeLongitudeGeoInfoFromIPAddressAzureDataExplorerQRCodePhishingInboundBlockedDistinctSummarizeSortProjectExtendParseJoinLetMvExpandTodynamicTostringContainsHasAny

Operators

agojoincontainssummarizesortdistinctprojectextendparseletmv-expandtodynamictostringhas_any

Actions

GitHub