TTP Detection Rule: Check for Phishing Emails Using IPFS in Phishing Campaigns
TI Feed Ipfs Phishing
Query
//check for phishing emails potentially using ipfs to host malicious content used in phishing campaigns.
let domains = externaldata (data:string)[h@"https://raw.githubusercontent.com/volexity/threat-intel/main/2023/2023-06-28%20POWERSTAR/attachments/ipfs.txt"];
EmailEvents
| where Timestamp > ago (30d)
| join EmailUrlInfo on NetworkMessageId
| where Url has_any (domains) and DeliveryAction !~ "Blocked"About this query
Explanation
This query is designed to detect phishing emails that use the InterPlanetary File System (IPFS) to host malicious content. IPFS is a decentralized file hosting system that can be used in phishing campaigns to bypass traditional security measures. The query consists of two parts, each tailored for different platforms:
-
Defender XDR Query: This part of the query checks for phishing emails that might be using IPFS to host malicious content. It looks at email events from the last 30 days and checks if any URLs in the emails match known IPFS-hosted domains. If such URLs are found and the email wasn't blocked, it could indicate a phishing attempt.
-
Sentinel Query: This part checks for any subsequent connections to IPFS-hosted sites. It looks at network events from the last 30 days to see if there are any connections to the same IPFS-hosted domains identified in the email query. This helps in identifying if a phishing attack is being executed by tracking network activity related to those domains.
Overall, the query aims to identify and track phishing campaigns using IPFS, which is a more sophisticated and harder-to-detect method of phishing.
