Skip to content

Latest commit

 

History

History
39 lines (31 loc) · 1.09 KB

STORM-0539 URLPathsEmail.md

File metadata and controls

39 lines (31 loc) · 1.09 KB

Storm-0539 AiTM URLs - EmailEvents

Query Information

MITRE ATT&CK Technique(s)

Technique ID Title Link
T1557 Adversary-in-the-Middle https://attack.mitre.org/techniques/T1557/

Description

Microsoft Threat Intelligence has identified that the following url parts are used by Storm-0539 to deploy AiTM phishing pages:

  • /Udlaps/
  • /Usrlop/
  • /adls/index.html
  • /saml2/index.html

This query lists matches on the parts of the URL if found in emails.

Risk

These URLs lead to adversary-in-the-middle (AiTM) pages that allow Storm-0539 to steal credentials and session tokens.

References

Defender For Endpoint

let URLs = dynamic([@'/Udlaps/', @'/Usrlop/', @'/adls/index.html', @'/saml2/index.html']);
EmailUrlInfo
| where Url has_any (URLs)
| join EmailEvents on NetworkMessageId

Sentinel

let URLs = dynamic([@'/Udlaps/', @'/Usrlop/', @'/adls/index.html', @'/saml2/index.html']);
EmailUrlInfo
| where Url has_any (URLs)
| join EmailEvents on NetworkMessageId