Microsoft Defender - Advanced Hunting

365 has an arsenal of tools available for the ever-favored Microsoft Threat Hunter.

Recently we've had access to the Defender suite and its opened up some more opportunities for analysts to dig deeper with phishing email investigations.

Advanced Hunting in 365 is the great starting point for investigating suspicious behavior in your network. The massive range of modules allows it to be very adaptable for a unique environment. What's great is that it allows for custom detection rules to discover and bring to the surface any potential threats.

This tool uses KQL (Kusto Query Language) as its query language.

Sadly, manual analysis was the only way forward for us in the SOC, requesting the email directly from the user. This is time-consuming, waiting for the email, and can often be left on the back burner for some time.

You can always hunt in nature if your enterprise isn't your jam. Like our friend Shere Khan here

Users who click these links are often redirected to the attacker's infrastructure. A webpage impersonating a legitimate service convincing enough to get the user to input their credentials and exfiltrate. Sometimes these sites can utilize SSO, populating the user's email address or username, to further leverage the so-called 'legitimacy' of the site.

Advanced hunting will let us look for the quarantined email and download any suspicious attachments that belong to it.

In this article ill cover a few queries I've been playing with.

Email Redirect

The following query will look for any successful Email Redirects in the t-dot format.

EmailUrlInfo
//This regex identifies emails containing the "T-Dot" redirector pattern in the URL
| where Url matches regex @"s?\:\/\/(?:www\.)?t\.(?:[\w\-\.]+\/+)+(?:r|redirect)\/?\?" 
    //This regex narrows in on emails that contain the known malicious domain pattern in the URL from the most recent campaigns
    and Url matches regex @"[a-zA-Z]\-[a-zA-Z]{2}\.(xyz|club|shop)"
Specifically looking for email redirects

Malicious File Detect

This is a quick little custom query I wrote when experimenting with the tool at work. This query checks for any hits that Defender will have picked up and blocked, categorized as malware within the last 30 days.

Notice how the first one picked up a Malicious Payload
EmailEvents
| where DeliveryAction contains "blocked" and ThreatTypes contains "malware" and Timestamp > ago(30d)

Further Reading

Advanced Hunting

Read more about Advanced Hunting's capabilities on the Official Microsoft docs

Advanced Hunting Queries

For more examples and templates for Advanced Hunting queries