Query Details
The Hunt For QR Phisher
Query
// The Hunt for QR Phisher // https://www.linkedin.com/posts/0x534c_defenderxdr-qrcode-phishing-activity-7180838667928678400-72U-/ // 1. Determine the most frequently used QR-Code for phishing EmailEvents | where Timestamp > ago(30d) | where EmailDirection == "Inbound" | join EmailUrlInfo on NetworkMessageId | where UrlLocation == "QRCode" | where LatestDeliveryAction == "Blocked" | where ThreatTypes contains "phish" | summarize Count=count() by UrlDomain | sort by Count desc // 2. Determine the mail domains or IP addresses associated with QR Phisher EmailEvents | where Timestamp > ago(30d) | where EmailDirection == "Inbound" | join EmailUrlInfo on NetworkMessageId | where UrlLocation == "QRCode" | where LatestDeliveryAction == "Blocked" | where ThreatTypes contains "phish" | where UrlDomain contains "wap.lovetothenations.org" | distinct SenderMailFromDomain // Visualize QR-Phishing Attack with ADX Interactive Map EmailEvents | where Timestamp > ago(30d) | where EmailDirection == "Inbound" | join EmailUrlInfo on NetworkMessageId | where UrlLocation == "QRCode" | where LatestDeliveryAction == "Blocked" | where ThreatTypes contains "phish" | project SenderIPv4 //From ADX (Azure Data Explorer) import the IPaddress.csv into a newly created Table called QRPhish, run the below KQL query QRPhish | extend ip_location=geo_info_from_ip_address(SenderIPv4) | parse ip_location with "latitude\":" latitude ",\"longitude\":" longitude "}" blank // Hunting for QR Code AiTM Phishing let AnomalousTokenRequestId= SecurityAlert | where AlertName == "Anomalous Token" | mv-expand todynamic(Entities) | project Entities | extend RequestId = tostring(Entities.RequestId) | distinct RequestId; let UPNAnomalousToken= AADUserRiskEvents | where RequestId has_any(AnomalousTokenRequestId) | where DetectionTimingType == "realtime" | where RiskLevel == "medium" or RiskLevel == "high" | where RiskState == "atRisk" | distinct UserPrincipalName; EmailUrlInfo | where UrlLocation == "QRCode" | join EmailEvents on NetworkMessageId | where EmailDirection == "Inbound" | where RecipientEmailAddress has_any(UPNAnomalousToken)
Explanation
This query is designed to detect and analyze phishing attempts that use QR codes in emails. Here's a simplified summary of each part:
-
Identify the Most Frequently Used QR Code for Phishing:
- The query looks at inbound emails from the past 30 days.
- It filters emails that have QR codes and were blocked due to phishing threats.
- It counts how often each domain appears in these phishing attempts and sorts them by frequency.
-
Identify Mail Domains or IP Addresses Associated with QR Phisher:
- The query again looks at inbound emails from the past 30 days with blocked QR code phishing attempts.
- It specifically filters for a known phishing domain ("wap.lovetothenations.org").
- It lists unique sender domains associated with these phishing attempts.
-
Visualize QR-Phishing Attack with ADX Interactive Map:
- This part extracts the sender's IP addresses from the same set of phishing emails.
- It prepares this data for visualization on a map by converting IP addresses to geographical locations.
-
Import IP Address Data into ADX and Prepare for Visualization:
- The IP address data is imported into a new table called
QRPhish. - The query extends this data with geographical information (latitude and longitude) for mapping purposes.
- The IP address data is imported into a new table called
-
Hunt for QR Code AiTM (Adversary-in-the-Middle) Phishing:
- It identifies anomalous token requests from security alerts.
- It finds user accounts that are at medium or high risk based on these anomalous requests.
- It then checks if any of these risky user accounts received inbound emails with QR codes.
In essence, the query sequence helps in identifying, analyzing, and visualizing phishing attempts that use QR codes, and it also cross-references these attempts with known security alerts to find potentially compromised user accounts.
Details
Steven Lim
Released: August 2, 2024
Tables
EmailEventsEmailUrlInfoQRPhishSecurityAlertAADUserRiskEvents
Keywords
EmailEventsEmailUrlInfoQRCodeThreatTypesUrlDomainSenderMailFromDomainSenderIPv4QRPhishSecurityAlertAADUserRiskEventsUserPrincipalNameRecipientEmailAddress
Operators
wherejoinsummarizesortdistinctprojectextendparseletmv-expandtodynamictostringhas_anycontainsagocountbyonwith