Emails With O Auth Requests
Query
// Hunt for potential phishing emails that link to a Microsoft OAuth login
// OAuth tokens can grant the 3rd party permissions without stealing credentials
// Logins take place on login.windows.net or login.microsoftonline.com which is less suspicious
EmailUrlInfo
| where Url contains "https://login.windows.net/common/oauth2" or Url contains "https://login.microsoftonline.com/consumers/oauth2"
| where Url contains "redirect_uri"
| join EmailEvents on $left.NetworkMessageId == $right.NetworkMessageId
| where EmailDirection == "Inbound"Explanation
This query is searching for potential phishing emails that contain links to a Microsoft OAuth login. OAuth tokens can give third parties permissions without stealing login credentials. The query filters for emails that have URLs containing "https://login.windows.net/common/oauth2" or "https://login.microsoftonline.com/consumers/oauth2" and also contain "redirect_uri". It then joins the results with email events and filters for inbound emails.
Details

C.J. May
Released: November 8, 2021
Tables
EmailUrlInfoEmailEvents
Keywords
EmailUrlInfoUrlEmailEventsNetworkMessageIdEmailDirection
Operators
wherecontainsorjoinon==