Query Details

Threat Hunting Voice Phishing For Teams

Query

//Threat hunting voice phishing for Teams
//https://www.linkedin.com/feed/update/urn:li:activity:7168258404447186945/

//Threat hunting voice phishing πŸ‘„πŸŸ (or "vishing") with Copilot πŸ€– for Microsoft 365 (Mitre Technique T1598.004)

//Download your Teams PSTN usage report and open your report with Copilot Excel. Enter the prompt:
//Which "caller number" appear the most time with different unique "Display Name" where the "Call Direction" is inbound and "Success" is No ?

//As shown below (right side), Copilot identified the vishing number "XXXXXXX2650" with distinct count of 23 times. Most of these calls will be ended up in voicemail and transcript as email voice email back to the user.

//To validate Copilot identified the correct vishing number "XXXXXXX2650", in DefenderXDR Advanced Hunting run the below KQL:
EmailEvents
| where SenderMailFromAddress contains "noreply_skype_voicemail"
| where SenderFromAddress !contains "@"
| where SenderFromAddress contains "XXXXXXX2650"
| project SenderFromAddress, Subject


// MITRE ATT&CK Mapping

// Based on the filtering criteria, this query is likely aimed at detecting phishing or suspicious email activities. Here are the relevant MITRE ATT&CK techniques:

// Phishing (T1566):
// T1566.001: Spearphishing Attachment - The query looks for specific patterns in email addresses that could indicate phishing attempts.
// T1566.002: Spearphishing Link - The absence of β€œ@” in the sender’s address and the presence of specific patterns might indicate attempts to deceive recipients.
// Command and Control (T1071):
// T1071.003: Application Layer Protocol - The use of email as a communication channel for malicious activities.
// Credential Access (T1110):
// T1110.001: Password Guessing - The query might help identify attempts to use compromised email accounts.

Explanation

This query is part of a threat-hunting exercise focused on identifying potential voice phishing (vishing) activities targeting Microsoft Teams users. Here's a simplified breakdown:

  1. Objective: The goal is to detect suspicious phone numbers that might be involved in vishing attacks. Specifically, it looks for phone numbers that frequently appear with different display names in inbound calls that were unsuccessful.

  2. Process:

    • Data Collection: Start by downloading the Teams PSTN (Public Switched Telephone Network) usage report.
    • Analysis with Copilot: Use Microsoft 365's Copilot in Excel to analyze the report. The prompt used in Copilot seeks to identify the "caller number" that appears most frequently with different "Display Names" where the call direction is inbound and the call was not successful.
  3. Outcome: Copilot identifies a specific phone number (e.g., "XXXXXXX2650") as suspicious, appearing 23 times with different display names. These calls often end up in voicemail, which is then transcribed and emailed back to the user.

  4. Validation: To confirm the suspicious number, a KQL query is run in DefenderXDR Advanced Hunting. This query searches for emails from "noreply_skype_voicemail" that contain the suspicious number in the sender's address, but lack the "@" symbol, indicating potential phishing activity.

  5. MITRE ATT&CK Techniques: The query aligns with several MITRE ATT&CK techniques related to phishing and suspicious email activities:

    • Phishing (T1566): Identifying patterns in email addresses that suggest phishing.
    • Command and Control (T1071): Using email as a channel for malicious activities.
    • Credential Access (T1110): Detecting attempts to exploit compromised email accounts.

In summary, this query helps identify and validate potential vishing threats by analyzing call patterns and email activities, using both Excel and KQL in a security context.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

EmailEvents

Keywords

EmailEventsSenderMailFromAddressSubjectTeamsPSTNUsageReportCopilotExcelUserDefenderXDRAdvancedHuntingPhishingVishingMicrosoft365MitreTechnique

Operators

EmailEventswherecontains!containsproject

Actions

GitHub