Adversaries may use phishing emails with malicious URL redirects to compromise user credentials or deploy malware. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential credential theft and lateral movement attempts.
KQL Query
EmailUrlInfo
//This regex identifies emails containing the "T-Dot" redirector pattern in the URL
| where Url matches regex @"s?\:\/\/(?:www\.)?t\.(?:[\w\-\.]+\/+)+(?:r|redirect)\/?\?"
//This regex narrows in on emails that contain the known malicious domain pattern in the URL from the most recent campaigns
and Url matches regex @"[a-zA-Z]\-[a-zA-Z]{2}\.(xyz|club|shop)"
id: 08aff8c6-b983-43a3-be95-68a10c3d35e6
name: PhishingEmailUrlRedirector (1)
description: |
The query helps detect emails associated with the open redirector URL campaign using Defender for Office 365 data.
description-detailed: |
The query helps detect emails associated with the open redirector URL campaign using Defender for Office 365 data. The campaign's URLs begin with the distinct pattern, hxxps://t[.]domain[.]tld/r/?. Attackers use URL redirection to manipulate users into visiting a malicious website or to evade detection.
This query was originally published on Twitter, by @MsftSecIntel.
Reference - https://twitter.com/MsftSecIntel
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailUrlInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailUrlInfo
//This regex identifies emails containing the "T-Dot" redirector pattern in the URL
| where Url matches regex @"s?\:\/\/(?:www\.)?t\.(?:[\w\-\.]+\/+)+(?:r|redirect)\/?\?"
//This regex narrows in on emails that contain the known malicious domain pattern in the URL from the most recent campaigns
and Url matches regex @"[a-zA-Z]\-[a-zA-Z]{2}\.(xyz|club|shop)"
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailUrlInfo | Ensure this data connector is enabled |
Scenario: Legitimate URL Shortener Usage
Description: Employees use a company-approved URL shortener (e.g., Bitly, TinyURL) to create shortened links for internal documentation or marketing campaigns.
Filter/Exclusion: Exclude URLs that originate from approved URL shortening services by checking the domain against a whitelist of known shortener services.
Scenario: Scheduled Job Generating Test Emails
Description: A scheduled job (e.g., Power Automate, Azure Logic Apps) sends test emails to internal stakeholders for system validation or user training.
Filter/Exclusion: Exclude emails sent from known automation accounts or service accounts (e.g., test@company.com, automation@company.com) or filter by sender IP address associated with the automation service.
Scenario: Admin Task for User Onboarding
Description: An admin task (e.g., Microsoft 365 admin console, PowerShell script) sends out onboarding emails with links to internal resources.
Filter/Exclusion: Exclude emails sent from admin accounts or during specific onboarding periods. Use sender email address or timestamp to identify these legitimate emails.
Scenario: Internal Redirect for Single Sign-On (SSO)
Description: Internal users are redirected through an SSO portal (e.g., Azure AD B2C, Okta) which uses open redirector functionality for authentication flows.
Filter/Exclusion: Exclude URLs that match the SSO redirector domain (e.g., sso.company.com) or check the URL path for known SSO endpoints.
Scenario: Marketing Campaign with External Landing Page
Description: Marketing teams use external landing pages (e.g., HubSpot, Salesforce) to collect leads, which may include redirectors for tracking or analytics.
Filter/Exclusion: Exclude URLs from known marketing platforms by checking the domain against a whitelist of