Skip to content

Files

Latest commit

52af1a4 · Sep 25, 2024

History

History
43 lines (36 loc) · 1.76 KB

Email - TyposquattedEmailRecieved.md

File metadata and controls

43 lines (36 loc) · 1.76 KB

Typosquatted Email Received

Query Information

MITRE ATT&CK Technique(s)

Technique ID Title Link
T1566 Phishing https://attack.mitre.org/techniques/T1566/

Description

Adversaries may create typosquatted domains to mimic your domains. This detection can be used to detect typosquatted domains and alert on entries. You can configure the threshold yourself based on the TypoSquatMin and TypoSquatMax, these values represent the percentage of how many unicode characters match.

Risk

An actor typosquats your domain to phish employees.

Defender XDR

let Domain = tolower("kqlquery.com");
let UnicodeDomain = unicode_codepoints_from_string(Domain);
let TypoSquatMin = 0.75;
let TypoSquatMax = 0.99; // If set to 1.0 it equals the domain.
EmailEvents
| where EmailDirection == "Inbound"
| extend SenderDomainUnicode = unicode_codepoints_from_string(tolower(SenderFromDomain))
| extend TypoSquadPercentage = jaccard_index(UnicodeDomain, SenderDomainUnicode)
| where TypoSquadPercentage between (TypoSquatMin .. TypoSquatMax)
| project-reorder Timestamp, SenderFromDomain, TypoSquadPercentage, RecipientEmailAddress, Subject

Sentinel

let Domain = tolower("kqlquery.com");
let UnicodeDomain = unicode_codepoints_from_string(Domain);
let TypoSquatMin = 0.75;
let TypoSquatMax = 0.99; // If set to 1.0 it equals the domain.
EmailEvents
| where EmailDirection == "Inbound"
| extend SenderDomainUnicode = unicode_codepoints_from_string(tolower(SenderFromDomain))
| extend TypoSquadPercentage = jaccard_index(UnicodeDomain, SenderDomainUnicode)
| where TypoSquadPercentage between (TypoSquatMin .. TypoSquatMax)
| project-reorder TimeGenerated, SenderFromDomain, TypoSquadPercentage, RecipientEmailAddress, Subject