Crowdstrike Suspicious Domains
Query
let ThreatIntelFeed = externaldata(Domain: string)[@"https://raw.githubusercontent.com/cyb3rmik3/Hunting-Lists/main/crowdstrike-phishing-domains.csv"] with (format="csv", ignoreFirstRecord=True)
| project Domain = tolower(Domain);
EmailEvents
| join kind=inner ThreatIntelFeed on $left.SenderMailFromDomain == $right.Domain
| join EmailEvents on NetworkMessageIdAbout this query
Explanation
This query looks for suspicious domains related to phishing attacks impersonating Crowdstrike support after a recent incident. It uses a curated list of domains to identify potential threats in email and URL data. The goal is to detect and prevent phishing attacks targeting organizations.
Details

Michalis Michalos
Released: July 20, 2024
Tables
EmailUrlInfo
EmailEvents
Keywords
CrowdstrikeSuspiciousDomainsPhishingThreatIntelFeedEmailUrlInfoEmailEventsSenderMailFromDomainNetworkMessageIdInitial AccessT1566
Operators
tolowerjoinkindinnerprojectexternaldatawithformatignoreFirstRecordon
MITRE Techniques