Technique ID | Title | Link |
---|---|---|
T1557 | Adversary-in-the-Middle | https://attack.mitre.org/techniques/T1557/ |
Microsoft Threat Intelligence has identified that the following url parts are used by Storm-0539 to deploy AiTM phishing pages:
- /Udlaps/
- /Usrlop/
- /adls/index.html
- /saml2/index.html
This query lists matches on the parts of the URL if found in emails.
These URLs lead to adversary-in-the-middle (AiTM) pages that allow Storm-0539 to steal credentials and session tokens.
let URLs = dynamic([@'/Udlaps/', @'/Usrlop/', @'/adls/index.html', @'/saml2/index.html']);
EmailUrlInfo
| where Url has_any (URLs)
| join EmailEvents on NetworkMessageId
let URLs = dynamic([@'/Udlaps/', @'/Usrlop/', @'/adls/index.html', @'/saml2/index.html']);
EmailUrlInfo
| where Url has_any (URLs)
| join EmailEvents on NetworkMessageId