Azure · damozes1 · Jan 29, 2025 · Jan 31, 2025
@@ -0,0 +1,26 @@
+id: a7acfaf4-e03e-409d-a16e-dcde33f7dba3
+name: Automated email notifications and suspicious sign-in activity
+description: |
+  This query helps hunting for Automated email notifications and suspicious sign-in activity
+description-detailed: |
+  This query helps hunting for Automated email notifications and suspicious sign-in activity. 
+  By correlating the email from the Microsoft notification service or Dropbox automated notification service with a suspicious sign-in activity, we can identify compromises, especially from securely shared SharePoint or Dropbox files.
+  Shared by Microsoft Threat Intelligence: https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+  - AADSignInEventsBeta
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+ let usersWithSuspiciousEmails = EmailEvents
+ | where SenderFromAddress in ("[email protected]", "[email protected]") or InternetMessageId startswith "<OneTimePasscode"
+ | where isnotempty(RecipientObjectId)
+ | distinct RecipientObjectId;
+ AADSignInEventsBeta
+ | where AccountObjectId in (usersWithSuspiciousEmails)
+ | where RiskLevelDuringSignIn == 100
+version: 1.0.0
@@ -0,0 +1,30 @@
+id: 6e056084-8951-460d-93f9-525880062de9
+name: BEC - File sharing tactics - Dropbox
+description: |
+  This query helps hunting for BEC - File sharing tactics - Dropbox
+description-detailed: |
+  This query helps hunting for BEC - File sharing tactics - Dropbox. 
+  It highlights that highlights that a file hosted on Dropbox has been shared with multiple participants.
+  Shared by Microsoft Threat Intelligence: https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - CloudAppEvents
+tactics:
+  - LateralMovement
+relevantTechniques:
+  - T1021
+query: |
+  CloudAppEvents
+  | where ActionType in ("Added users and/or groups to shared file/folder", "Invited user to Dropbox and added them to shared file/folder")
+  | where Application == "Dropbox"
+  | where ObjectType == "File"
+  | extend FileShared = tostring(ObjectName)
+  | where isnotempty(FileShared)
+  | mv-expand ActivityObjects
+  | where ActivityObjects.Type == "Account" and ActivityObjects.Role == "To"
+  | extend SharedBy = AccountId
+  | extend UserSharedWith = tostring(ActivityObjects.Name)
+  | summarize dcount(UserSharedWith) by FileShared, AccountObjectId
+  | where dcount_UserSharedWith >= 20
+version: 1.0.0
@@ -0,0 +1,38 @@
+id: cf8d2c27-8310-4b13-b135-1ba59ae0a3a2
+name: BEC - File sharing tactics - OneDrive or SharePoint
+description: |
+  This query helps hunting for BEC - File sharing tactics - OneDrive or SharePoint
+description-detailed: |
+  This query helps hunting for BEC - File sharing tactics - OneDrive or SharePoint. 
+  It highlights that a specific file has been shared by a user with multiple participants. Correlating this activity with suspicious sign-in attempts preceding this can help identify lateral movements and BEC attacks.
+  Shared by Microsoft Threat Intelligence: https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - CloudAppEvents
+tactics:
+  - LateralMovement
+relevantTechniques:
+  - T1021
+query: |
+  let securelinkCreated = CloudAppEvents
+  | where ActionType == "SecureLinkCreated"
+  | project FileCreatedTime = Timestamp, AccountObjectId, ObjectName;
+  let filesCreated = securelinkCreated
+  | where isnotempty(ObjectName)
+  | distinct tostring(ObjectName);
+  CloudAppEvents
+  | where ActionType == "AddedToSecureLink"
+  | where Application in ("Microsoft SharePoint Online", "Microsoft OneDrive for Business")
+  | extend FileShared = tostring(RawEventData.ObjectId)
+  | where FileShared in (filesCreated)
+  | extend UserSharedWith = tostring(RawEventData.TargetUserOrGroupName)
+  | extend TypeofUserSharedWith = RawEventData.TargetUserOrGroupType
+  | where TypeofUserSharedWith == "Guest"
+  | where isnotempty(FileShared) and isnotempty(UserSharedWith)
+  | join kind=inner securelinkCreated on $left.FileShared==$right.ObjectName
+  // Secure file created recently (in the last 1day)
+  | where (Timestamp - FileCreatedTime) between (1d .. 0h)
+  | summarize NumofUsersSharedWith = dcount(UserSharedWith) by FileShared
+  | where NumofUsersSharedWith >= 20
+version: 1.0.0
@@ -0,0 +1,25 @@
+id: 24eb9c13-c188-4b3c-8e89-654e56ce4c56
+name: Hunt for email bombing attacks
+description: |
+  This query helps to hunt for possible email bombing attacks in Microsoft Defender for Office 365.
+description-detailed: |
+  In this type of attacks threat actors initiate link listing attacks - a type of email bombing attack, where threat actors sign up targeted emails to multiple email subscription services to flood email addresses indirectly with subscribed content.
+  More details: https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/ and https://www.hhs.gov/sites/default/files/email-bombing-sector-alert-tlpclear.pdf
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailEvents
+  | where EmailDirection == "Inbound"
+  | make-series Emailcount = count()
+                on Timestamp step 1h by RecipientObjectId
+  | extend (Anomalies, AnomalyScore, ExpectedEmails) = series_decompose_anomalies(Emailcount)
+  | mv-expand Emailcount, Anomalies, AnomalyScore, ExpectedEmails to typeof(double), Timestamp
+  | where Anomalies != 0
+  | where AnomalyScore >= 10
+version: 1.0.0
@@ -0,0 +1,26 @@
+id: 61bd29e8-fcfa-4f10-bc8f-b3a64e9493f7
+name: Top outbound recipient domains sending inbound emails with threats
+description: |
+  This query helps hunting for top outbound recipient domains which are sending inbound emails with threats
+description-detailed: |
+  This query helps hunting for top outbound recipient domains which are sending inbound emails with threats. 
+  Top outbound recipient domains by volume and number of inbound emails from the same domains as senders with threats.
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailEvents
+  | where EmailDirection == "Outbound"
+  | project RecipientDomain = tostring(split(RecipientEmailAddress, "@")[1])
+  | summarize count() by RecipientDomain
+  | project OutboundCount=count_, RecipientDomain, SenderFromDomain=RecipientDomain
+  | join (EmailEvents | where EmailDirection == "Inbound" and isempty(ThreatTypes)==false) on SenderFromDomain
+  | summarize max(OutboundCount),count() by SenderFromDomain
+  | project SenderFromDomain, OutboundEmails=max_OutboundCount, IncomingEmailsWithThreats=count_
+  | sort by OutboundEmails
+version: 1.0.0
@@ -0,0 +1,34 @@
+id: ca7f7287-d688-4256-ae46-e68ad2f657c8
+name: Possible Teams phishing activity
+description: |
+  This query looks for possible Teams phishing activity.
+description-detailed: |
+  This query looks for possible Teams phishing activity.
+  Shared by Microsoft Threat Intelligence:https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - DeviceProcessEvents
+  - CloudAppEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  let suspiciousUpns = DeviceProcessEvents
+  | where DeviceId == "alertedMachine"
+  | where isnotempty(InitiatingProcessAccountUpn)
+  | project InitiatingProcessAccountUpn;
+  CloudAppEvents
+  | where Application == "Microsoft Teams"
+  | where ActionType == "ChatCreated"
+  | where isempty(AccountObjectId)
+  | where RawEventData.ParticipantInfo.HasForeignTenantUsers == true
+  | where RawEventData.CommunicationType == "OneonOne"
+  | where RawEventData.ParticipantInfo.HasGuestUsers == false
+  | where RawEventData.ParticipantInfo.HasOtherGuestUsers == false
+  | where RawEventData.Members[0].DisplayName in ("Microsoft  Security", "Help Desk", "Help Desk Team", "Help Desk IT", "Microsoft Security", "office")
+  | where AccountId has "@"
+  | extend TargetUPN = tolower(tostring(RawEventData.Members[1].UPN))
+  | where TargetUPN in (suspiciousUpns)
+version: 1.0.0
@@ -0,0 +1,21 @@
+id: 629b1650-38a4-42a2-9017-96b1d8c91cd7
+name: Threat classification - BEC LLM detections - daily trend
+description: |
+  This query helps to provide a daily trend of Threat classification - BEC LLM detections by classification type in Microsoft Defender for Office 365.
+description-detailed: |
+  This query helps to provide a daily trend of Threat classification - BEC LLM detections by classification type in Microsoft Defender for Office 365.
+  More details: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/microsoft-ignite-redefining-email-security-with-llms-to-tackle-a-new-era-of-soci/4302421
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailEvents
+  | where ThreatClassification has_any ("Contact establishment","Gift card","Task","Business intelligence","PII gathering","Payroll","Invoice")
+  | summarize count() by ThreatClassification, bin(Timestamp, 1d)
+  | render linechart
+version: 1.0.0
@@ -0,0 +1,21 @@
+id: 797cabdd-e162-42ff-b555-554583738d35
+name: Threat classification - BEC LLM detections - summary
+description: |
+  This query helps to provide a summary of Threat classification - BEC LLM detections in Microsoft Defender for Office 365.
+description-detailed: |
+  This query helps to provide a summary of Threat classification - BEC LLM detections in Microsoft Defender for Office 365.
+  More details: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/microsoft-ignite-redefining-email-security-with-llms-to-tackle-a-new-era-of-soci/4302421
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailEvents
+  | where ThreatClassification has_any ("Contact establishment","Gift card","Task","Business intelligence","PII gathering","Payroll","Invoice")
+  | summarize count() by ThreatClassification
+  | render piechart
+version: 1.0.0
@@ -0,0 +1,35 @@
+id: 28a1ce89-ee88-47b3-872b-fb5c3c8b350c
+name: AIR investigation actions insight
+description: |
+  This query provides insights into AIR investigation actions in Microsoft Defender for Office 365.
+description-detailed: |
+  This query provides insights into AIR investigation results approval actions (Approved, Declined etc.) in Microsoft Defender for Office 365.
+  More information:https://learn.microsoft.com/en-us/defender-office-365/air-remediation-actions and https://learn.microsoft.com/en-us/defender-office-365/air-review-approve-pending-completed-actions
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - CloudAppEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  CloudAppEvents
+  | where ActionType == "AirInvestigationData"
+  | project Timestamp, RawEventData
+  | extend EventData = parse_json(RawEventData)
+  | extend Data = parse_json(tostring(EventData.Data))
+  | extend InvestigationType = EventData.InvestigationType
+  | extend InvestigationId = RawEventData.InvestigationId
+  | extend Status = tostring(Data.Status)
+  | where Status == "Resolved"
+  | extend ActionRaw = parse_json(tostring(EventData.Actions))
+  | mv-expand ActionRaw
+  | extend Action = parse_json(tostring(ActionRaw))
+  | extend ActionType=Action.ActionType, ActionApproval=Action.ActionApproval, ApprovedBy=Action.ApprovedBy, ApproverComment=Action.ApproverComment, ActionStatus=Action.ActionStatus
+  | mv-expand Action.Entities
+  | extend EntityQuery = Action_Entities.Query
+  | mv-expand Action_Entities.Urls, Action_Entities.NetworkMessageIds
+  | sort by Timestamp
+  | project Timestamp, InvestigationType, InvestigationId, ActionType, ActionApproval, ApprovedBy, ApproverComment, ActionStatus, EntityQuery, Action_Entities_Urls, Action_Entities_NetworkMessageIds
+version: 1.0.0
@@ -0,0 +1,25 @@
+id: dd4a480b-aa24-4b62-b1f3-f538d8abbdfb
+name: Hunt for email bombing attacks
+description: |
+  This query helps to hunt for possible email bombing attacks in Microsoft Defender for Office 365.
+description-detailed: |
+  In this type of attacks threat actors initiate link listing attacks - a type of email bombing attack, where threat actors sign up targeted emails to multiple email subscription services to flood email addresses indirectly with subscribed content.
+  More details: https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/ and https://www.hhs.gov/sites/default/files/email-bombing-sector-alert-tlpclear.pdf
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailEvents
+  | where EmailDirection == "Inbound"
+  | make-series Emailcount = count()
+                on Timestamp step 1h by RecipientObjectId
+  | extend (Anomalies, AnomalyScore, ExpectedEmails) = series_decompose_anomalies(Emailcount)
+  | mv-expand Emailcount, Anomalies, AnomalyScore, ExpectedEmails to typeof(double), Timestamp
+  | where Anomalies != 0
+  | where AnomalyScore >= 10
+version: 1.0.0
@@ -0,0 +1,26 @@
+id: 38d6e2fb-a804-4170-8d32-d251ecd6bcd2
+name: Top outbound recipient domains sending inbound emails with threats
+description: |
+  This query helps hunting for top outbound recipient domains which are sending inbound emails with threats
+description-detailed: |
+  This query helps hunting for top outbound recipient domains which are sending inbound emails with threats. 
+  Top outbound recipient domains by volume and number of inbound emails from the same domains as senders with threats.
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailEvents
+  | where EmailDirection == "Outbound"
+  | project RecipientDomain = tostring(split(RecipientEmailAddress, "@")[1])
+  | summarize count() by RecipientDomain
+  | project OutboundCount=count_, RecipientDomain, SenderFromDomain=RecipientDomain
+  | join (EmailEvents | where EmailDirection == "Inbound" and isempty(ThreatTypes)==false) on SenderFromDomain
+  | summarize max(OutboundCount),count() by SenderFromDomain
+  | project SenderFromDomain, OutboundEmails=max_OutboundCount, IncomingEmailsWithThreats=count_
+  | sort by OutboundEmails
+version: 1.0.0
@@ -0,0 +1,34 @@
+id: 01cf63bd-debd-4d03-847c-d19c31844501
+name: Possible Teams phishing activity
+description: |
+  This query looks for possible Teams phishing activity.
+description-detailed: |
+  This query looks for possible Teams phishing activity.
+  Shared by Microsoft Threat Intelligence:https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - DeviceProcessEvents
+  - CloudAppEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  let suspiciousUpns = DeviceProcessEvents
+  | where DeviceId == "alertedMachine"
+  | where isnotempty(InitiatingProcessAccountUpn)
+  | project InitiatingProcessAccountUpn;
+  CloudAppEvents
+  | where Application == "Microsoft Teams"
+  | where ActionType == "ChatCreated"
+  | where isempty(AccountObjectId)
+  | where RawEventData.ParticipantInfo.HasForeignTenantUsers == true
+  | where RawEventData.CommunicationType == "OneonOne"
+  | where RawEventData.ParticipantInfo.HasGuestUsers == false
+  | where RawEventData.ParticipantInfo.HasOtherGuestUsers == false
+  | where RawEventData.Members[0].DisplayName in ("Microsoft  Security", "Help Desk", "Help Desk Team", "Help Desk IT", "Microsoft Security", "office")
+  | where AccountId has "@"
+  | extend TargetUPN = tolower(tostring(RawEventData.Members[1].UPN))
+  | where TargetUPN in (suspiciousUpns)
+version: 1.0.0
@@ -0,0 +1,21 @@
+id: 1401f5d8-e4bd-4002-90a2-db53871302da
+name: Threat classification - BEC LLM detections - daily trend
+description: |
+  This query helps to provide a daily trend of Threat classification - BEC LLM detections by classification type in Microsoft Defender for Office 365.
+description-detailed: |
+  This query helps to provide a daily trend of Threat classification - BEC LLM detections by classification type in Microsoft Defender for Office 365.
+  More details: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/microsoft-ignite-redefining-email-security-with-llms-to-tackle-a-new-era-of-soci/4302421
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailEvents
+  | where ThreatClassification has_any ("Contact establishment","Gift card","Task","Business intelligence","PII gathering","Payroll","Invoice")
+  | summarize count() by ThreatClassification, bin(Timestamp, 1d)
+  | render linechart
+version: 1.0.0