Technique ID | Title | Link |
---|---|---|
T1566 | Phishing | https://attack.mitre.org/techniques/T1566/ |
Adversaries may create typosquatted domains to mimic your domains. This detection can be used to detect typosquatted domains and alert on entries. You can configure the threshold yourself based on the TypoSquatMin and TypoSquatMax, these values represent the percentage of how many unicode characters match.
An actor typosquats your domain to phish employees.
let Domain = tolower("kqlquery.com");
let UnicodeDomain = unicode_codepoints_from_string(Domain);
let TypoSquatMin = 0.75;
let TypoSquatMax = 0.99; // If set to 1.0 it equals the domain.
EmailEvents
| where EmailDirection == "Inbound"
| extend SenderDomainUnicode = unicode_codepoints_from_string(tolower(SenderFromDomain))
| extend TypoSquadPercentage = jaccard_index(UnicodeDomain, SenderDomainUnicode)
| where TypoSquadPercentage between (TypoSquatMin .. TypoSquatMax)
| project-reorder Timestamp, SenderFromDomain, TypoSquadPercentage, RecipientEmailAddress, Subject
let Domain = tolower("kqlquery.com");
let UnicodeDomain = unicode_codepoints_from_string(Domain);
let TypoSquatMin = 0.75;
let TypoSquatMax = 0.99; // If set to 1.0 it equals the domain.
EmailEvents
| where EmailDirection == "Inbound"
| extend SenderDomainUnicode = unicode_codepoints_from_string(tolower(SenderFromDomain))
| extend TypoSquadPercentage = jaccard_index(UnicodeDomain, SenderDomainUnicode)
| where TypoSquadPercentage between (TypoSquatMin .. TypoSquatMax)
| project-reorder TimeGenerated, SenderFromDomain, TypoSquadPercentage, RecipientEmailAddress, Subject