Phishing Campaigns Leveraging Microsoft Forms
Query
// Phishing campaigns leveraging Microsoft Forms
// https://www.linkedin.com/posts/activity-7223704172028665858-99AA/
// The below KQL will help you pick up some forms phisherš«”
EmailUrlInfo
| where Timestamp > ago(1h)
| join EmailEvents on NetworkMessageId
| extend AuthDetail = parse_json(AuthenticationDetails)
| where EmailDirection == "Inbound"
| where UrlDomain == "forms.microsoft.com"
| where AuthDetail.SPF == "fail" and AuthDetail.DKIM == "fail" and AuthDetail.DMARC == "fail"
// MITRE ATT&CK Mapping
// The KQL query can be mapped to the following MITRE ATT&CK techniques:
// T1566.001 - Phishing: Spearphishing Attachment:
// The query is looking for inbound emails with specific characteristics that could indicate a phishing attempt, especially with failed authentication checks.
// T1071.001 - Application Layer Protocol: Web Protocols:
// The use of URLs in emails, particularly those pointing to forms.microsoft.com, can be indicative of attempts to use web protocols for malicious purposes.
// T1589.002 - Gather Victim Identity Information: Email Addresses:
// The focus on inbound emails and specific domains suggests an attempt to gather or exploit email addresses.
// T1078 - Valid Accounts:
// The failed authentication checks (SPF, DKIM, DMARC) could indicate attempts to use or spoof valid accounts.Explanation
This KQL query is designed to identify potential phishing attempts using Microsoft Forms. Here's a simplified breakdown:
-
Data Source: The query examines data from
EmailUrlInfoandEmailEventstables. -
Time Frame: It focuses on emails received in the last hour (
Timestamp > ago(1h)). -
Email Direction: It filters for inbound emails (
EmailDirection == "Inbound"). -
Target Domain: The query specifically looks for emails containing URLs that point to
forms.microsoft.com. -
Authentication Checks: It checks for emails that fail all three major email authentication protocols: SPF, DKIM, and DMARC (
AuthDetail.SPF == "fail",AuthDetail.DKIM == "fail",AuthDetail.DMARC == "fail"). -
Purpose: By identifying emails that meet these criteria, the query aims to detect phishing campaigns that might be using Microsoft Forms to deceive recipients.
-
Security Framework: The query is mapped to several MITRE ATT&CK techniques, indicating its relevance to specific types of cyber threats:
- T1566.001: Phishing through email attachments.
- T1071.001: Use of web protocols for malicious activities.
- T1589.002: Gathering or exploiting email addresses.
- T1078: Attempting to use or spoof valid accounts.
In essence, this query helps security teams identify suspicious emails that could be part of a phishing campaign leveraging Microsoft Forms, especially those that fail standard email authentication checks.
