Attackers are leveraging Appspot to host phishing pages and distribute malicious links, exploiting the platform’s accessibility to compromise user credentials. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate phishing campaigns that bypass traditional email security controls.
KQL Query
EmailUrlInfo
// Detect URLs with a subdomain on appspot.com
| where UrlDomain matches regex @'\b[\w\-]+-dot-[\w\-\.]+\.appspot\.com\b'
// Enrich results with sender and recipient data
| join kind=inner EmailEvents on $left.NetworkMessageId==$right.NetworkMessageId
// Phishing attempts from Appspot related campaigns typically contain the recipient's email address in the URI
// Example 1: https://example-dot-example.appspot.com/#recipient@domain.com
// Example 2: https://example-dot-example.appspot.com/index.html?user=recipient@domain.com
| where Url has RecipientEmailAddress
// Some phishing campaigns pass recipient email as a Base64 encoded string in the URI
or Url has base64_encode_tostring(RecipientEmailAddress)
| project-away Timestamp1, NetworkMessageId1, ReportId1
id: cdac93ef-56c0-45bf-9e7f-9cbf0ad06808
name: Appspot Phishing Abuse
description: |
This query helps surface phishing campaigns associated with Appspot abuse.
description-detailed: |
This query helps surface phishing campaigns associated with Appspot abuse. These emails frequently contain phishing links that utilize the recipients' own email address as a unique identifier in the URI.
This campaign was published on Twitter by @MsftSecIntel at this link: https://twitter.com/MsftSecIntel/status/1374148156301004800
Reference - https://twitter.com/MsftSecIntel
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailUrlInfo
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailUrlInfo
// Detect URLs with a subdomain on appspot.com
| where UrlDomain matches regex @'\b[\w\-]+-dot-[\w\-\.]+\.appspot\.com\b'
// Enrich results with sender and recipient data
| join kind=inner EmailEvents on $left.NetworkMessageId==$right.NetworkMessageId
// Phishing attempts from Appspot related campaigns typically contain the recipient's email address in the URI
// Example 1: https://example-dot-example.appspot.com/#recipient@domain.com
// Example 2: https://example-dot-example.appspot.com/index.html?user=recipient@domain.com
| where Url has RecipientEmailAddress
// Some phishing campaigns pass recipient email as a Base64 encoded string in the URI
or Url has base64_encode_tostring(RecipientEmailAddress)
| project-away Timestamp1, NetworkMessageId1, ReportId1
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
EmailUrlInfo | Ensure this data connector is enabled |
Scenario: Legitimate Appspot Usage for Internal Tools
Description: An internal team uses Appspot to host a custom application or service that is part of their normal operations.
Filter/Exclusion: Exclude traffic from known internal Appspot instances (e.g., appspot.com subdomains used by internal teams) using a not src_ip filter or a src_host exclusion list.
Scenario: Scheduled Job for Data Processing
Description: A scheduled job runs on a server that uses Appspot to process data or generate reports, which may trigger the rule due to outbound requests.
Filter/Exclusion: Exclude traffic from known job servers (e.g., jobserver.example.com) using a src_host filter or a process_name exclusion for the job scheduler.
Scenario: Admin Task for Configuration Management
Description: An admin uses Appspot to manage configuration files or deploy updates, which may result in outbound requests that match the rule.
Filter/Exclusion: Exclude traffic from admin workstations (e.g., admin-laptop.example.com) using a src_host filter or a user field exclusion for admin accounts.
Scenario: Integration with Third-Party Services
Description: A service like Zapier or Integromat is used to integrate with Appspot for automation, which may trigger the rule due to API calls.
Filter/Exclusion: Exclude traffic from known integration platforms (e.g., zapier.com, integromat.com) using a src_host filter or a destination field exclusion.
Scenario: Development Environment Testing
Description: Developers use Appspot in a development environment to test applications, which may result in suspicious-looking outbound traffic.
Filter/Exclusion: Exclude traffic from development environments (e.g., `dev