Spamhaus 10 Most Abused Tlds
Query
let SpamhausTLD = externaldata(TLD: string)[@"https://raw.githubusercontent.com/cyb3rmik3/Hunting-Lists/main/spamhaus-abused-tlds.csv"] with (format="csv", ignoreFirstRecord=True);
let Timeframe = 1d; // Choose the best timeframe for your investigation
let SMFDEvents = EmailEvents
| where Timestamp > ago(Timeframe)
| where EmailDirection == "Inbound"
| where SenderMailFromDomain has_any (SpamhausTLD)
| project Timestamp, NetworkMessageId, SenderMailFromAddress, SenderFromAddress, SenderIPv4, RecipientEmailAddress, DeliveryAction, ThreatTypes, EmailAction, EmailActionPolicy, UserLevelAction, UserLevelPolicy, LatestDeliveryLocation, LatestDeliveryAction;
let SFDEvents = EmailEvents
| where Timestamp > ago(Timeframe)
| where EmailDirection == "Inbound"
| where SenderFromDomain has_any (SpamhausTLD)
| project Timestamp, NetworkMessageId, SenderMailFromAddress, SenderFromAddress, SenderIPv4, RecipientEmailAddress, DeliveryAction, ThreatTypes, EmailAction, EmailActionPolicy, UserLevelAction, UserLevelPolicy, LatestDeliveryLocation, LatestDeliveryAction;
(union isfuzzy=true
(SMFDEvents),
(SFDEvents)
| summarize SenderMailFromAddresses = make_set(SenderMailFromAddress), SenderFromAddresses = make_set(SenderFromAddress), TimeReceived = arg_max(Timestamp, *) by NetworkMessageId
| project-reorder TimeReceived, NetworkMessageId, SenderMailFromAddress, SenderFromAddress, SenderIPv4, RecipientEmailAddress, DeliveryAction, ThreatTypes, EmailAction, EmailActionPolicy, UserLevelAction, UserLevelPolicy, LatestDeliveryLocation, LatestDeliveryAction
| sort by TimeReceived
)About this query
Spamhaus 10 Most Abused TLDs
Description
The following query will hunt for inbound emails with SenderMailFromDomain and SenderFromDomain that match Spamhaus 10 Most Abused Top Level Domains.
References
Microsoft Defender XDR
MITRE ATT&CK Mapping
- Tactic: Initial Access
- Technique ID: T1566
- Phishing
Source
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 21/01/2024 | Initial publish |
Explanation
This query is designed to identify potentially malicious inbound emails by checking if the domains of the senders match the top 10 most abused top-level domains (TLDs) as identified by Spamhaus. Here's a simplified breakdown of what the query does:
-
Data Source: It uses a list of the most abused TLDs from Spamhaus, which is fetched from an external CSV file hosted on GitHub.
-
Timeframe: The query looks at email events from the past day (1 day).
-
Email Filtering:
- It examines inbound emails where either the "SenderMailFromDomain" or "SenderFromDomain" matches any of the TLDs in the Spamhaus list.
- It captures various details about these emails, such as the sender's address, recipient's address, sender's IP, and any actions or policies applied to the email.
-
Data Processing:
- It combines results from two checks (one for each domain type) into a single dataset.
- It summarizes the data to list unique sender addresses and the most recent time each email was received, organized by the email's network message ID.
- The results are sorted by the time the emails were received.
-
Purpose: This query helps in identifying phishing attempts or other malicious activities by flagging emails from domains known to be frequently abused.
-
Security Context: It maps to the MITRE ATT&CK framework under the "Initial Access" tactic, specifically focusing on the "Phishing" technique (T1566).
In essence, this query is a tool for security analysts to detect and investigate potentially harmful emails based on known risky domains.
Details

Michalis Michalos
Released: January 21, 2024
Tables
Keywords
Operators
MITRE Techniques