This post has been republished via RSS; it originally appeared at: Azure Data Explorer Blog articles.
The evolving phishing threat is relentless and continues to grow each year. Attackers have been changing their tactics, techniques, and procedures, moving from traditional phishing to more advanced techniques. Especially, AiTM is a great example of how attack techniques have evolved over the past few years and have spread globally.
AiTM attack refers to "Adversary-in-The-Middle" phishing technique where attackers intercept communication between an end-user and a legitimate website, stealing passwords and session cookies to gain unauthorized access and perform fraudulent activities such as controlling exchange online. Subsequently, they launch Business Email Compromised (BEC) campaign after compromising the account. (Figure 1)
Figure 1. Overview of AiTM phishing campaign and follow-on BEC
In this blog, I am excited to share four essential points for threat hunting, focusing on how to track "potential" AiTM/BEC activities using Kusto Query Language (KQL) in Microsoft 365 Defender and Azure Data Explorer:
- Tracking the initial access - Suspicious User-Clicked URLs
- Tracking Suspicious User-Clicked URLs based on IoCs
- Visualizing the Targeted User's Access with Geolocation Map
- Capturing Suspicious EXO Activities for the Targeted User
1. Tracking the initial access - Suspicious User-Clicked URLs
As the attacker aims to successfully lure the target to a phishing site and avoid detection by email security tools, they primally rely on HTML file attachment, or they might use URL redirection. Therefore, the initial access will be divided into two cases : HTML file and URL.
This query will identify outbound emails with HTML attachments and compile a list of all associated URLs.
This query will identify users who received suspicious emails and clicked on URLs from those emails.
Additionally, If the device has been onboarded to Microsoft Defender for Endpoint, this query will be able to identify not only users who received suspicious emails and clicked on URLs from those emails but also the associated devices."
2. Tracking Suspicious User-Clicked URLs based on IoCs
As Indicators of Compromise (IOCs) are shared by some security blogs, leveraging the externaldata operator is one of the ways to determine whether end-users clicked on AiTM-related URLs or not within the organization.
As an example, the process has been summarized into three steps.
As Step 2 describes 'an external storage,' GitHub aacount(LearningKijo) was used in the above query, but when you write your own query, you can use others such as your personal GitHub storage space, Azure Blob storage, and so on.
IoCs References
- Zscaler : AiTM Phishing Attack Targeting Enterprise Users of Gmail
- Zscaler : Large-Scale AiTM Attack targeting enterprise users of Microsoft email services
- Microsoft : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud
3. Visualizing the Targeted User's Access with Geolocation Map
To enhance geolocation visibility, start by checking suspicious logins from multiple countries. Once discovered the targeted user, filter the user's location and create a map using Azure Data Explorer.
Here are steps:
- Summarize the countries that authenticated to the OfficeHome application for each user and list any uncommon or untrusted countries.
- Track the user account with multiple country logins and list the associated "Country," "Latitude," and "Longitude" data.
- Visualize suspicious access to the user account on a geolocation map using Azure Data Explorer.
Step 1 : By using this query, it appears that "Malware M365D" has multiple logons across different countries.
Step 2 : In order to obtain additional insights for geolocation, such as Latitude, Longitude, and Country, filter with "Malware M365D"
Step 3 : Based on the insights from Step 2, in the US, there are multiple logins from different states.
At this time, datatable (data is from AADSignInEventBeta) is used to generate a geolocation map.
Geospatial data can be visualized using the render operator in Kusto Desktop Explorer or the Azure Data Explorer web UI. To download Kusto Desktop Explorer, see Kusto.Explorer installation and user interface.
4. Capturing Suspicious EXO Activities for the Targeted User
After successfully stealing the session, the attacker proceeds with exfiltration and BEC campaigns. To detect potential suspicious activities, we filter Exchange Online action types that could be used for exfiltration and BEC. This allows us to investigate whether the targeted end-user is involved in any suspicious actions.
Here are some common techniques attackers use during exfiltration in Exchange Online.
I hope these threat hunting insights will be beneficial for anyone involved in security operations.