KQL Search

Query Details

HomeAI ToolsDevice Query

Threat Hunting Voice Phishing For Teams

Query

//Threat hunting voice phishing for Teams
//https://www.linkedin.com/feed/update/urn:li:activity:7168258404447186945/

//Threat hunting voice phishing 👄🐟 (or "vishing") with Copilot 🤖 for Microsoft 365 (Mitre Technique T1598.004)

//Download your Teams PSTN usage report and open your report with Copilot Excel. Enter the prompt:
//Which "caller number" appear the most time with different unique "Display Name" where the "Call Direction" is inbound and "Success" is No ?

//As shown below (right side), Copilot identified the vishing number "XXXXXXX2650" with distinct count of 23 times. Most of these calls will be ended up in voicemail and transcript as email voice email back to the user.

//To validate Copilot identified the correct vishing number "XXXXXXX2650", in DefenderXDR Advanced Hunting run the below KQL:
EmailEvents
| where SenderMailFromAddress contains "noreply_skype_voicemail"
| where SenderFromAddress !contains "@"
| where SenderFromAddress contains "XXXXXXX2650"
| project SenderFromAddress, Subject

Explanation

This query is part of a threat-hunting exercise focused on identifying voice phishing (vishing) attempts in Microsoft Teams. Here's a simplified summary:

  1. Objective: Identify a phone number frequently used in vishing attempts, where the caller number appears multiple times with different display names, and the call direction is inbound with unsuccessful call attempts.

  2. Steps:

    • Download and Analyze PSTN Report: Download the Teams PSTN (Public Switched Telephone Network) usage report and use Copilot in Excel to analyze it.
    • Prompt for Analysis: Use a specific prompt in Copilot to find the caller number that appears most frequently with different display names, where the call direction is inbound and the call was not successful.
    • Identify Vishing Number: Copilot identifies a suspicious number (e.g., "XXXXXXX2650") that appears multiple times (23 times in this case).

  3. Validation:

    • Run KQL Query in DefenderXDR: Use the provided KQL (Kusto Query Language) query in DefenderXDR Advanced Hunting to validate the identified vishing number.
    • Query Details: The query searches for email events where the sender's email address contains "noreply_skype_voicemail" and the sender's address does not contain "@" but does contain the identified vishing number ("XXXXXXX2650").
    • Output: The query projects (displays) the sender's address and the email subject to confirm the vishing activity.

In essence, this process helps in detecting and validating potential vishing attempts by analyzing call data and corroborating it with email events.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

EmailEvents

Keywords

EmailEvents

Operators

contains!containsprojectwhere

Actions