Adversaries may be using OpenPhish-hosted URLs in phishing emails to compromise users and exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential phishing campaigns before they lead to successful breaches.
KQL Query
let PhishingURLs = externaldata(url: string)
[
"https://raw.githubusercontent.com/openphish/public_feed/refs/heads/main/feed.txt"
]
with (format="txt"); // CSV and JSON formats are also valid formats if using the premium feeds
EmailUrlInfo
| where Url in (PhishingURLs)
| join EmailEvents on NetworkMessageId
| where LatestDeliveryAction == "Delivered"
id: d16f57cb-6a39-4e90-ae25-8902c68232ab
name: Message with URL listed on OpenPhish delivered into Inbox
description: |
This query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious email with a URL from OpenPhish was delivered to Inbox
description-detailed: |
This query can be used as a Custom Detection Rule (CDR) to trigger when a potentially malicious email with a URL from OpenPhish was delivered to Inbox. https://learn.microsoft.com/en-us/defender-xdr/custom-detection-rules
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailUrlInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let PhishingURLs = externaldata(url: string)
[
"https://raw.githubusercontent.com/openphish/public_feed/refs/heads/main/feed.txt"
]
with (format="txt"); // CSV and JSON formats are also valid formats if using the premium feeds
EmailUrlInfo
| where Url in (PhishingURLs)
| join EmailEvents on NetworkMessageId
| where LatestDeliveryAction == "Delivered"
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
EmailUrlInfo | Ensure this data connector is enabled |
Scenario: Legitimate Email with OpenPhish URL from Internal Marketing Team
Description: A marketing team member sends an email with a URL listed on OpenPhish as part of a legitimate campaign (e.g., a product launch or newsletter).
Filter/Exclusion: Exclude emails from known internal domains (e.g., @example.com) or use a filter based on sender email address in the from field. Example: from:[email protected].
Scenario: Scheduled Job Sending Reports with Embedded Links
Description: A scheduled job (e.g., cron job or PowerShell script) sends daily reports to users, which include links to internal dashboards or documentation hosted on a server listed in OpenPhish.
Filter/Exclusion: Exclude emails sent by specific scheduled tasks or scripts. Example: subject:"Daily Report" OR subject:"System Report" or use a from field filter for the job’s email address (e.g., [email protected]).
Scenario: Internal User Sharing a Link from OpenPhish-Listed Domain
Description: An internal user shares a link from a domain that is mistakenly listed in OpenPhish, but the link is safe and part of a legitimate internal resource.
Filter/Exclusion: Exclude emails from internal users based on their email domain (e.g., @internal.example.com) or use a custom filter to exclude links from specific internal domains (e.g., domain:internal.example.com).
Scenario: Phishing Simulation Campaign with OpenPhish-Listed URLs
Description: Security team runs a phishing simulation using a URL from OpenPhish to test employee awareness.
Filter/Exclusion: Exclude emails with a specific subject line (e.g., Phishing Simulation) or use a custom filter to exclude emails sent from the