Adversaries may use malicious URLs to deliver payloads or exfiltrate data, leveraging external IOC sources to bypass traditional detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise early.
KQL Query
let url = (externaldata(url: string )
[@"https://urlhaus.abuse.ch/downloads/text_online/"]
with (format="txt"))
| project url;
url
| join (EmailUrlInfo
| where Timestamp > ago(2h)
) on $left.url == $right.Url
|join EmailEvents on NetworkMessageId
|project Timestamp, NetworkMessageId, Url, UrlLocation, UrlDomain, SenderFromAddress, SenderDisplayName, SenderIPv4, Subject,RecipientEmailAddress, RecipientObjectId, LatestDeliveryAction, ThreatNames, ThreatTypes, DetectionMethods, DeliveryAction,ReportId
id: 57f95ba7-938d-4a76-b411-c01034c0d167
name: Hunt for malicious URLs using external IOC source
description: |
This query helps hunt for emails with malicious URLs based on external IOC source
description-detailed: |
This query helps hunt for emails with malicious URLs based on URLs from external IOC source using Defender for Office 365 and Advance hunting in Microsoft Defender XDR
Reference - https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-best-practices#ingest-data-from-external-sources
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailUrlInfo
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let url = (externaldata(url: string )
[@"https://urlhaus.abuse.ch/downloads/text_online/"]
with (format="txt"))
| project url;
url
| join (EmailUrlInfo
| where Timestamp > ago(2h)
) on $left.url == $right.Url
|join EmailEvents on NetworkMessageId
|project Timestamp, NetworkMessageId, Url, UrlLocation, UrlDomain, SenderFromAddress, SenderDisplayName, SenderIPv4, Subject,RecipientEmailAddress, RecipientObjectId, LatestDeliveryAction, ThreatNames, ThreatTypes, DetectionMethods, DeliveryAction,ReportId
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
EmailUrlInfo | Ensure this data connector is enabled |
Scenario: Legitimate URL shortening service used for internal documentation
Description: Employees use a company-approved URL shortener (e.g., Bitly, TinyURL) to create links for internal documentation or shared resources.
Filter/Exclusion: Exclude URLs that originate from known internal URL shortening services or domains whitelisted in the company’s security policy.
Scenario: Scheduled job for automated report generation
Description: A scheduled job (e.g., using Airflow, Jenkins, or a custom script) generates reports and sends them via email, including links to internal dashboards or cloud storage (e.g., S3, Blob Storage).
Filter/Exclusion: Exclude URLs that match known internal reporting tools or cloud storage endpoints, or filter by sender email addresses associated with scheduled jobs.
Scenario: Admin task for system updates or patches
Description: System administrators use a known internal tool (e.g., Ansible, Puppet, or a custom script) to deploy updates, which may include links to internal repositories or patch servers.
Filter/Exclusion: Exclude URLs that match internal patch management systems or repositories, or filter by sender email addresses associated with admin tasks.
Scenario: User-generated content with embedded links
Description: Users post links in internal collaboration tools (e.g., Microsoft Teams, Slack, or Confluence) as part of shared knowledge bases or project updates.
Filter/Exclusion: Exclude URLs that are part of internal collaboration platforms or that match known user-generated content domains.
Scenario: Internal phishing simulation with safe URLs
Description: Security teams run phishing simulations using safe, controlled URLs (e.g., from a sandboxed environment or a test domain) to train employees.
Filter/Exclusion: Exclude URLs that match known internal phishing simulation domains or that are flagged as safe by the organization’s sandboxing