Adversaries may use referral-based phishing emails to trick users into revealing credentials by mimicking trusted internal sources. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate credential phishing attempts that leverage social engineering and internal trust.
KQL Query
let EmailAddresses = pack_array
('zreffertalt.com.com','zreffesral.com.com','kzreffertal.com.com',
'wzreffertal.com.com','refferal.comq','refferal.net','zreffertal.com.com',
'zrefferal.com.com','refferasl.com.com','zreffesral.com','zrefsfertal.com.com',
'irefferal.com','refferasl.co','zrefferal.com');
EmailEvents
| where SenderMailFromDomain in (EmailAddresses)
| extend RecipientDomain = extract("[^@]+$", 0, RecipientEmailAddress)
| where SenderFromDomain == RecipientDomain
| join EmailUrlInfo on $left.NetworkMessageId == $right.NetworkMessageId
id: cdc4da1c-64a1-4941-be59-1f5cc85481ab
name: referral-phish-emails
description: |
Hunting for credential phishing using the "Referral" infrastructure using Defender for Office 365 data
description-detailed: |
The "Referral" infrastructure is a point-in-time set of infrastructure associated with spoofed emails that imitate SharePoint and other legitimate products to conduct credential phishing. The operator is also known to use legitimate URL infrastructure such as Google, Microsoft, and Digital Ocean to host their phishing pages.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let EmailAddresses = pack_array
('zreffertalt.com.com','zreffesral.com.com','kzreffertal.com.com',
'wzreffertal.com.com','refferal.comq','refferal.net','zreffertal.com.com',
'zrefferal.com.com','refferasl.com.com','zreffesral.com','zrefsfertal.com.com',
'irefferal.com','refferasl.co','zrefferal.com');
EmailEvents
| where SenderMailFromDomain in (EmailAddresses)
| extend RecipientDomain = extract("[^@]+$", 0, RecipientEmailAddress)
| where SenderFromDomain == RecipientDomain
| join EmailUrlInfo on $left.NetworkMessageId == $right.NetworkMessageId
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
EmailUrlInfo | Ensure this data connector is enabled |
Scenario: Legitimate System Backup Job
Description: A scheduled backup job (e.g., using Veeam, Commvault, or VSS on Windows) sends a confirmation email to the admin, which includes a link to the backup storage.
Filter/Exclusion: Exclude emails sent from known backup systems or domains, or filter by sender IP if the backup service uses a known IP range.
Scenario: User-Initiated File Sharing via Email
Description: An employee shares a file with a colleague using a tool like Microsoft SharePoint, Google Drive, or Dropbox, and the email includes a link to the shared file.
Filter/Exclusion: Exclude emails containing file-sharing links from known collaboration tools or filter by sender email addresses associated with internal file-sharing services.
Scenario: Admin Task Notification via Email
Description: An admin receives an email notification from Microsoft Intune, Azure AD, or Okta about a user activity or policy change.
Filter/Exclusion: Exclude emails from known admin tools or filter by sender email addresses associated with identity and access management (IAM) systems.
Scenario: Internal Knowledge Base or Wiki Link Sharing
Description: A user shares a link to an internal knowledge base (e.g., Confluence, SharePoint, or Notion) via email for team collaboration.
Filter/Exclusion: Exclude emails containing links to internal documentation platforms or filter by sender email addresses associated with internal knowledge management teams.
Scenario: Automated Report Distribution via Email
Description: A scheduled report (e.g., from Power BI, Tableau, or SQL Server Reporting Services) is sent to stakeholders via email, including a link to the report.
Filter/Exclusion: Exclude emails sent from report automation tools or filter by