Storm-0539 AiTM URLs - EmailEvents
STORM 0539 URL Paths Email
Query
let URLs = dynamic([@'/Udlaps/', @'/Usrlop/', @'/adls/index.html', @'/saml2/index.html']);
EmailUrlInfo
| where Url has_any (URLs)
| join kind=inner EmailEvents on NetworkMessageIdAbout this query
Storm-0539 AiTM URLs - EmailEvents
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1557 | Adversary-in-the-Middle | https://attack.mitre.org/techniques/T1557/ |
Description
Microsoft Threat Intelligence has identified that the following url parts are used by Storm-0539 to deploy AiTM phishing pages:
- /Udlaps/
- /Usrlop/
- /adls/index.html
- /saml2/index.html
This query lists matches on the parts of the URL if found in emails.
Risk
These URLs lead to adversary-in-the-middle (AiTM) pages that allow Storm-0539 to steal credentials and session tokens.
References
Defender XDR
Sentinel
let URLs = dynamic([@'/Udlaps/', @'/Usrlop/', @'/adls/index.html', @'/saml2/index.html']);
EmailUrlInfo
| where Url has_any (URLs)
| join kind=inner EmailEvents on NetworkMessageId
Explanation
This query is designed to identify potentially malicious emails that contain specific URL patterns associated with a phishing campaign by a group known as Storm-0539. The URLs in question are used to create adversary-in-the-middle (AiTM) phishing pages, which can capture sensitive information like credentials and session tokens.
Here's a simple breakdown of what the query does:
-
Define Target URLs: It sets up a list of URL parts that are known to be used in phishing attacks by Storm-0539. These include:
/Udlaps//Usrlop//adls/index.html/saml2/index.html
-
Search for Matches: It searches through email data to find any emails that contain these URL parts.
-
Join with Email Events: It combines the results with email event data to provide more context about the emails that contain these URLs.
The purpose of this query is to help security teams quickly identify and respond to phishing threats by highlighting emails that may be part of this malicious activity.
