Query Details

Detect Inbound Phish With Base64 Encoded Receipient

Query

EmailEvents
| where EmailDirection == "Inbound"
    and not(DeliveryLocation  == "Quarantine")
| where AuthenticationDetails has_any("temperror","none","fail","softfail")
    and UrlCount > 0
| extend B64 = base64_encode_tostring(RecipientEmailAddress)
| join kind=inner EmailUrlInfo on NetworkMessageId
| where Url contains B64
| project-away *1
| join kind=leftouter UrlClickEvents on NetworkMessageId

About this query

Detect Inbound Phish With Base64 Encoded Receipient

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1566.002Spearphishing Linkhttps://attack.mitre.org/techniques/T1566/002/

Description

This hunting query detects inbound E-mails which have not deliverd to quarantine, which contain URL's with base 64 encoded receipients E-mail address.

References

Microsoft 365 Defender

Explanation

This query is used to detect inbound emails that have not been delivered to quarantine and contain URLs with base64 encoded recipient email addresses. It looks for emails with certain authentication details and a non-zero number of URLs. It then encodes the recipient email address in base64 and joins it with the email URL information. Finally, it checks if the URL contains the base64 encoded recipient email address and joins it with URL click events.

Details

Gianni Castaldi profile picture

Gianni Castaldi

Released: September 1, 2023

Tables

EmailEventsEmailUrlInfoUrlClickEvents

Keywords

DevicesIntuneUser

Operators

wherenothas_anyand>extendjoincontainsproject-awayleftouter

MITRE Techniques

Actions

GitHub