Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Help with Advance hunting query - Phishing

Brass Contributor

I'm currently working on a sphere fishing security incident; I need help with writing an advance hunting query to lookup for emails coming from specific phishing email ID/domain with malicious URL. Malicious URL takes use of the fake login page pretending to be a SharePoint login site. 

 

In my case, some users have clicked the phishing link and sent to fake login page which users have attempted to login.   

 

I need help to write KQL query to find users who received phishing email & already clicked phishing URL link on the email and entered credentials. Search those users' signing login from non-familiar location after they click phising url. 

 

EmailEvents

|where SenderMailFromAddress == 'Email address removed'
|project RecipientEmailAddress,UrlCount
 
So far, I don't know how to take recipent email address from the below query and run against the AAD signin logs? Any help is appreciated. 


3 Replies

@askvpb 

Something like this could show you the sign in events of users that received an email from said address.

I am not sure if you can see if they clicked it or not though, through these logs.

 

 

let SuspiciousEmails = toscalar(EmailEvents
| where SenderMailFromAddress == ""
| summarize make_list(RecipientEmailAddress));
let Identities = IdentityInfo
| mv-apply RecipientEmailAddress=SuspiciousEmails to typeof(string) on
(where SipProxyAddress contains RecipientEmailAddress)
| distinct AccountObjectId,RecipientEmailAddress;
AADSignInEventsBeta
| join Identities on AccountObjectId

 

 

Thank you so much @Jonhed

 

I managed to put together some KQL queries. As I'm learning this query language just need more practice to join multiple tables sources.  Please review and help to refine the query. 

 

// This query finds network communication to specific Phishing URL (confirms users has clicked the links on company issued devices)
let partialRemoteUrlToDetect = "XYZ"; // Change this to a URL you'd like to find machines connecting to
DeviceNetworkEvents
| where Timestamp > ago(3d)
and RemoteUrl has partialRemoteUrlToDetect 
| project Timestamp, DeviceName, InitiatingProcessAccountUpn

// Above will give list of usersnames, devicename who have clicked. Take those values and run it agains the AD signin Logs, which are comming from different country. 

AADSignInEventsBeta
|where ErrorCode != 50142
|where AlternateSignInName in ('Usernames1, Usernames2, Usernames3')
|project DeviceName, OSPlatform, AccountDisplayName


// Get antivirus scan events, including completed and cancelled scans
DeviceEvents
| where ActionType startswith "AntivirusScan" and Timestamp > ago(1d)
| extend ScanDesc = parse_json(AdditionalFields)
|project Timestamp, DeviceName, ActionType, Domain = ScanDesc.Domain, ScanId= ScanDesc.ScanId, User = ScanDesc.User, ScanParametersIndex = ScanDesc.ScanParametersIndex, ScanTypeIndex = ScanDesc.ScanTypeIndex
//| where AccountName in ('Usernames1, Usernames2, Usernames3')

// Gives a list of sharing activities in cloud apps if there were any external users sharing.

CloudAppEvents
|where AccountDisplayName in ('Usernames1, Usernames2, Usernames3')
| where ActivityType == "Share"
best response confirmed by askvpb (Brass Contributor)
Solution
This might give you some ideas of how to track URLs clicked, in addition to the queries you just posted.
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-tip-of-the-month-down...
1 best response

Accepted Solutions
best response confirmed by askvpb (Brass Contributor)
Solution
This might give you some ideas of how to track URLs clicked, in addition to the queries you just posted.
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-tip-of-the-month-down...

View solution in original post