MDO Enhancing Email Security With NRD Filtering
Query
// DefenderXDR Custom Detection Rule
// Newly Registered Domains (NRD) A daily updated list of newly registered domains from the past 14 and 30 days
// All inbound email URL domains scanned against NRD, if found move to junk first wait for analyst further triage
let NRDTable=externaldata(RawData:string)
[h'https://raw.githubusercontent.com/xRuffKez/NRD/refs/heads/main/lists/30-day_phishing/domains-only/nrd-phishing-30day.txt']
| parse RawData with NRD:string;
EmailUrlInfo
| where Timestamp > ago(1h)
| join EmailEvents on NetworkMessageId
| where EmailDirection == "Inbound" and DeliveryAction != "Blocked"
| join NRDTable on $left.UrlDomain == $right.NRD
// MITRE ATT&CK Technique
// Acquire Infrastructure: Domains technique, specifically T1583.0011Explanation
This query is part of a custom detection rule for DefenderXDR, designed to identify potentially malicious emails based on newly registered domains (NRDs). Here's a simplified breakdown of what the query does:
-
NRD Data Source: It retrieves a list of newly registered domains from an external data source, specifically a GitHub repository containing domains registered in the past 30 days.
-
Email Data Filtering: It examines email data from the last hour, focusing on inbound emails that were not blocked.
-
Domain Matching: It checks if the domain of any URLs in these emails matches any domain in the NRD list.
-
Action: If a match is found, the email is moved to the junk folder for further analysis by an analyst.
-
Security Context: The query references a specific MITRE ATT&CK technique, "Acquire Infrastructure: Domains" (T1583.0011), indicating that this process is part of a broader strategy to detect and mitigate threats involving newly registered domains.
