Forum Discussion
Help with Advance hunting query - Phishing
I'm currently working on a sphere fishing security incident; I need help with writing an advance hunting query to lookup for emails coming from specific phishing email ID/domain with malicious URL. Malicious URL takes use of the fake login page pretending to be a SharePoint login site.
In my case, some users have clicked the phishing link and sent to fake login page which users have attempted to login.
I need help to write KQL query to find users who received phishing email & already clicked phishing URL link on the email and entered credentials. Search those users' signing login from non-familiar location after they click phising url.
EmailEvents
- This might give you some ideas of how to track URLs clicked, in addition to the queries you just posted.
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-tip-of-the-month-downloads-originating-from-email-links/ba-p/239594
Something like this could show you the sign in events of users that received an email from said address.
I am not sure if you can see if they clicked it or not though, through these logs.
let SuspiciousEmails = toscalar(EmailEvents | where SenderMailFromAddress == "" | summarize make_list(RecipientEmailAddress)); let Identities = IdentityInfo | mv-apply RecipientEmailAddress=SuspiciousEmails to typeof(string) on (where SipProxyAddress contains RecipientEmailAddress) | distinct AccountObjectId,RecipientEmailAddress; AADSignInEventsBeta | join Identities on AccountObjectIdThank you so much Jonhed.
I managed to put together some KQL queries. As I'm learning this query language just need more practice to join multiple tables sources. Please review and help to refine the query.
// This query finds network communication to specific Phishing URL (confirms users has clicked the links on company issued devices) let partialRemoteUrlToDetect = "XYZ"; // Change this to a URL you'd like to find machines connecting to DeviceNetworkEvents | where Timestamp > ago(3d) and RemoteUrl has partialRemoteUrlToDetect | project Timestamp, DeviceName, InitiatingProcessAccountUpn // Above will give list of usersnames, devicename who have clicked. Take those values and run it agains the AD signin Logs, which are comming from different country. AADSignInEventsBeta |where ErrorCode != 50142 |where AlternateSignInName in ('Usernames1, Usernames2, Usernames3') |project DeviceName, OSPlatform, AccountDisplayName // Get antivirus scan events, including completed and cancelled scans DeviceEvents | where ActionType startswith "AntivirusScan" and Timestamp > ago(1d) | extend ScanDesc = parse_json(AdditionalFields) |project Timestamp, DeviceName, ActionType, Domain = ScanDesc.Domain, ScanId= ScanDesc.ScanId, User = ScanDesc.User, ScanParametersIndex = ScanDesc.ScanParametersIndex, ScanTypeIndex = ScanDesc.ScanTypeIndex //| where AccountName in ('Usernames1, Usernames2, Usernames3') // Gives a list of sharing activities in cloud apps if there were any external users sharing. CloudAppEvents |where AccountDisplayName in ('Usernames1, Usernames2, Usernames3') | where ActivityType == "Share"- This might give you some ideas of how to track URLs clicked, in addition to the queries you just posted.
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-tip-of-the-month-downloads-originating-from-email-links/ba-p/239594
