Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft Defender XDRMicrosoft SentinelSECURE

List QR Code URLs in Delivered Inbound Email Messages Detected By by Microsoft Defender XDR

Wayne Andes 6 min read

Description

This KQL query identifies incoming emails with URLs extracted from QR code by Microsoft Defender XDR (Microsoft Defender for Office 365).

Risk

Phishing is one of the most common and effective cyberattack vectors that threat actors use to compromise email accounts, steal sensitive data, and deliver malware. Recently, we have observed a new trend in phishing campaigns that leverage QR codes embedded in emails to evade detection and trick users into visiting malicious links. QR codes are two-dimensional barcodes that can store various kinds of data, such as URLs, text, or contact information. They are widely used for convenience and ease of access, especially with mobile devices. However, they can also pose a security risk, as users may not be able to tell what the QR code contains or where it leads before scanning it with their devices.

Query

Microsoft Sentinel
Kusto
EmailUrlInfo
| where UrlLocation == "QRCode"
| join kind=innerunique (
EmailAttachmentInfo
)
on $left.NetworkMessageId == $right.NetworkMessageId
| join kind=innerunique (
EmailEvents
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| project-rename EmailEventsThreatTypes = ThreatTypes
| extend EmailEventsThreatTypes = iff(isempty(ConfidenceLevel), "QRCode", EmailEventsThreatTypes)
| extend EmailEventsThreatTypes = iff(ConfidenceLevel has "Spam", "QRCode - Spam", EmailEventsThreatTypes)
| extend EmailEventsThreatTypes = iff(ConfidenceLevel has "Phish", "QRCode - Phish", EmailEventsThreatTypes)
| extend ConfidenceLevel = iff(ConfidenceLevel has "Low", "Low", ConfidenceLevel)
| extend ConfidenceLevel = iff(ConfidenceLevel has "Normal", "Normal", ConfidenceLevel)
| extend ConfidenceLevel = iff(ConfidenceLevel has "High", "High", ConfidenceLevel)
)
on $left.NetworkMessageId == $right.NetworkMessageId
| project-rename EmailUrlInfoThreatTypes = ThreatTypes
| project-rename ThreatTypes = EmailEventsThreatTypes
| project TimeGenerated, NetworkMessageId, ThreatTypes, ConfidenceLevel, SenderFromAddress, RecipientEmailAddress, Subject, FileName, UrlDomain, Url, DeliveryAction, DeliveryLocation

References

You May Also Like

Detect Macro Attachment Opened From Rare Sender

Wayne Andes

Detect When An Account Has Been Changed To Password To Never Expire

Wayne Andes

Hunt For Password Changed After Successful Brute Force

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *