Query Details

Detect Malicious Impersonation Of Deepseek Domains In Email UR Ls

Query

// Detect Malicious Impersonation of Deepseek Domains in Email URLs

// Utilize this straightforward KQL tool for inbound email URL analysis to identify domains potentially impersonating Deepseek for malicious purposes. This empowers SecOps to verify domain authenticity and block threats at the tenant level.

EmailUrlInfo
| join EmailEvents on NetworkMessageId
| where UrlDomain has "deepseek" and (UrlDomain !endswith "deepseek.com" or SenderFromDomain != "deepseek.com")
| where EmailDirection == "Inbound" and LatestDeliveryAction != "Blocked"
| summarize Count=count() by UrlDomain
| where Count >= 3

Explanation

This KQL query is designed to identify potentially malicious domains in inbound email URLs that are impersonating the legitimate "deepseek.com" domain. Here's a simple breakdown of what the query does:

  1. Data Source: It starts by analyzing data from EmailUrlInfo and EmailEvents tables, focusing on inbound emails.

  2. Domain Check: It looks for URLs that contain the word "deepseek" but are not the legitimate "deepseek.com" domain. It also checks if the sender's domain is not "deepseek.com".

  3. Email Direction and Action: The query filters for emails that are inbound and have not been blocked.

  4. Counting Impersonations: It counts the occurrences of each suspicious domain.

  5. Threshold for Action: It only considers domains that appear at least three times as potentially malicious.

This helps security operations teams (SecOps) identify and verify suspicious domains that might be trying to impersonate "deepseek.com" and take necessary actions to block these threats at the organizational level.

Details

Steven Lim profile picture

Steven Lim

Released: January 30, 2025

Tables

EmailUrlInfoEmailEvents

Keywords

EmailUrlInfoEventsNetworkMessageIdDomainSenderFromDirectionLatestDeliveryActionCount

Operators

joinonwherehas!endswith!===summarizeby>=

Actions

GitHub