Perimeter Defense Attack Surface Reduction
Query
// Perimeter Defense - Attack Surface Reduction
// https://www.linkedin.com/posts/activity-7188046653184991232-JLS6/
// In these days cyberattacks are mostly conducted through email attacks, adversary would spray your tenant and if one of your users who happened to click on the link and with vulnerable endpoint then threat actor would probably start to gain a foothold in your environment. The below KQL checks for your organization top 10 most attack email users and query their corporate endpoints for list of vulnerabilities. I believe if you addressed those critical & high vulnerabilities of these endpoints, potentially this will help you reduce your attack surface. 🫡
let Top10AttackEmailUsers=
EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Inbound" and DeliveryAction == "Blocked"
| summarize Count=count() by RecipientEmailAddress
| sort by Count desc
| take 10
| project RecipientEmailAddress;
let Top10AttackUserDevices=
AADSignInEventsBeta
| where Timestamp > ago(7d)
| where DeviceTrustType == "Azure AD registered" or DeviceTrustType == "Hybrid Azure AD joined"
| where AccountUpn has_any(Top10AttackEmailUsers)
| distinct DeviceName;
DeviceTvmSoftwareVulnerabilities
| where DeviceName has_any(Top10AttackUserDevices)
| sort by VulnerabilitySeverityLevel asc
// MITRE ATT&CK Mapping
// T1566: Phishing - The blocked emails likely contain phishing attempts.
// Top10AttackUserDevices:
// Purpose: Finds devices associated with the top 10 email recipients from the previous query, focusing on devices that are either Azure AD registered or Hybrid Azure AD joined, within the last 7 days.
// MITRE ATT&CK Techniques:
// T1078: Valid Accounts - Identifying devices that might be used by compromised accounts.
// T1082: System Information Discovery - Gathering information about devices.
// DeviceTvmSoftwareVulnerabilities:
// Purpose: Lists software vulnerabilities on the identified devices, sorted by severity.
// MITRE ATT&CK Techniques:
// T1203: Exploitation for Client Execution - Exploiting software vulnerabilities.
// T1190: Exploit Public-Facing Application - Potential exploitation of known vulnerabilities.Explanation
This KQL query is designed to help an organization identify and mitigate potential cybersecurity threats by focusing on email-based attacks and associated device vulnerabilities. Here's a simplified breakdown:
-
Identify Top 10 Targeted Email Users:
- The query first examines email events from the past 30 days to find the top 10 email addresses within the organization that have received the most blocked inbound emails. These blocked emails are likely phishing attempts.
-
Find Associated Devices:
- It then looks at sign-in events from the past 7 days to identify devices used by these top 10 email recipients. The focus is on devices that are either "Azure AD registered" or "Hybrid Azure AD joined."
-
Check for Vulnerabilities:
- Finally, the query checks these identified devices for software vulnerabilities, sorting them by severity. This helps in prioritizing which vulnerabilities to address first.
The overall goal is to reduce the organization's attack surface by addressing critical and high-severity vulnerabilities on devices used by the most targeted email users. This proactive approach can help prevent attackers from gaining a foothold in the organization's environment.
Additionally, the query maps to specific MITRE ATT&CK techniques, indicating the types of threats and tactics being addressed, such as phishing, exploitation of software vulnerabilities, and system information discovery.
Details

Steven Lim
Released: August 25, 2024
Tables
Keywords
Operators