Query Details

Crowdstrike Suspicious Domains

Query

let ThreatIntelFeed = externaldata(Domain: string)[@"https://raw.githubusercontent.com/cyb3rmik3/Hunting-Lists/main/crowdstrike-phishing-domains.csv"] with (format="csv", ignoreFirstRecord=True)
| project Domain = tolower(Domain);
EmailEvents
| join kind=inner ThreatIntelFeed on $left.SenderMailFromDomain == $right.Domain
| join EmailEvents on NetworkMessageId

About this query

Explanation

This query looks for suspicious domains related to phishing attacks impersonating Crowdstrike support after a recent incident. It uses a curated list of domains to identify potential threats in email and URL data. The goal is to detect and prevent phishing attacks targeting organizations.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: July 20, 2024

Tables

EmailUrlInfo EmailEvents

Keywords

CrowdstrikeSuspiciousDomainsPhishingThreatIntelFeedEmailUrlInfoEmailEventsSenderMailFromDomainNetworkMessageIdInitial AccessT1566

Operators

tolowerjoinkindinnerprojectexternaldatawithformatignoreFirstRecordon

MITRE Techniques

Actions

GitHub