Query Details

Potential Phishing Campaign

Email Potential Phishing Campaign

Query

let RareDomainThreshold = 20;
let TotalSenderThreshold = 1;
let RareDomains = EmailEvents
| summarize TotalDomainMails = count() by SenderFromDomain
| where TotalDomainMails <= RareDomainThreshold
| project SenderFromDomain;
EmailEvents
| where EmailDirection == "Inbound"
| where SenderFromDomain in (RareDomains)
| where isnotempty(EmailClusterId)
| join kind=inner EmailUrlInfo on NetworkMessageId
| summarize Subjects = make_set(Subject), Senders = make_set(SenderFromAddress) by EmailClusterId
| extend TotalSenders = array_length(Senders)
| where TotalSenders >= TotalSenderThreshold

About this query

Explanation

This query is designed to identify potential phishing campaigns targeting an organization by analyzing email patterns. Here's a simplified explanation:

  1. Objective: The query aims to detect phishing emails that come from different senders but have similar content, indicated by the same EmailClusterId. It focuses on emails that include URLs, as these are often used in phishing attempts.

  2. Key Concepts:

    • EmailClusterId: This is a unique identifier for a group of emails that are similar in content. It helps in identifying emails that are part of the same campaign, even if they have slight variations.
    • Rare Domains: The query filters for emails from domains that send a low volume of emails (below a specified threshold), as these could be suspicious.
    • Thresholds:
      • RareDomainThreshold is set to 20, meaning it considers domains that have sent 20 or fewer emails as rare.
      • TotalSenderThreshold is set to 1, meaning it looks for clusters with at least one sender.
  3. Process:

    • First, it identifies domains that send a low number of emails (rare domains).
    • Then, it filters inbound emails from these rare domains that have a non-empty EmailClusterId.
    • It joins this data with another table (EmailUrlInfo) to ensure the emails contain URLs.
    • Finally, it groups the emails by EmailClusterId, collecting the subjects and senders, and checks if there are multiple senders for the same cluster.
  4. Risk: The presence of emails from different senders but with similar content suggests a phishing campaign using multiple email addresses to target the organization.

  5. Adjustments: The query can be tailored to specific environments by adjusting the RareDomainThreshold and TotalSenderThreshold to better fit the organization's email patterns and risk tolerance.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

EmailEventsEmailUrlInfo

Keywords

EmailEventsUrlInfoNetworkMessageIdSenderFromDomainClusterSubjectAddress

Operators

letsummarizecountbywhereprojectinisnotemptyjoinkind=inneronmake_setextendarray_length

MITRE Techniques

Actions

GitHub