Query Details
Threat Hunting Microsoft Sway Quishing
Query
// Threat Hunting Microsoft Sway Quishing // Article: https://thehackernews.com/2024/08/new-qr-code-phishing-campaign-exploits.html // This query summarizes all inbound emails from senders whose emails contain URLs with the new sway.cloud.microsoft domain. Additionally, it identifies the URL location (e.g., body, attachment, or QR code). A quick look at the statistics will reveal whether your tenant has been affected by the recent QR code phishing campaign exploiting Microsoft Sway to steal credentials. // Prequiste: MDO EmailUrlInfo | where TimeGenerated > ago(90d) | join EmailEvents on NetworkMessageId | where EmailDirection == "Inbound" | where Url startswith "https://sway.cloud.microsoft" | summarize Count=count() by SenderFromAddress, UrlLocation | sort by Count desc // MITRE ATT&CK Mapping // Initial Access Techniques: // T1078.004 (Valid Accounts - Cloud Accounts): Detection related to cloud accounts. // T1190 (Exploit Public-Facing Application): Detecting exploits on internet-facing devices. // T1566.001 (Phishing - Spearphishing Attachment): Monitoring email attachments. // T1566.002 (Phishing - Spearphishing Link): Analyzing safe links in emails.
Explanation
This query is designed to help identify potential phishing attacks using the Microsoft Sway service. Here's a simplified summary:
- Purpose: The query checks all incoming emails for URLs that use the "sway.cloud.microsoft" domain, which is associated with a new phishing campaign using QR codes to steal credentials.
- Scope: It examines emails received in the last 90 days.
- Details Extracted: It looks at the sender's email address and where the URL is located within the email (e.g., in the body, attachment, or QR code).
- Output: The query counts the number of such emails from each sender and sorts them by the count in descending order, helping to quickly identify if your organization has been targeted by this phishing campaign.
MITRE ATT&CK Techniques Mapped:
- T1078.004: Detects issues related to cloud accounts.
- T1190: Identifies exploits on internet-facing applications.
- T1566.001: Monitors email attachments for phishing.
- T1566.002: Analyzes links in emails for phishing attempts.
Prerequisite: Microsoft Defender for Office 365 (MDO) is required to run this query.
Details
Steven Lim
Released: August 28, 2024
Tables
EmailUrlInfoEmailEvents
Keywords
EmailUrlInfoEmailEventsNetworkMessageIdEmailDirectionUrlSenderFromAddressUrlLocationCountTimeGenerated
Operators
wherejoinstartswithsummarizecountbysortdesc