Adversaries are leveraging top URL domains to exfiltrate data or establish command and control, aligning with T1566 techniques. SOC teams should proactively hunt for these domains to identify and mitigate potential C2 channels and data exfiltration attempts in their Azure Sentinel environment.
KQL Query
EmailEvents
| where ThreatTypes != ""
| extend detection= parse_json(DetectionMethods)
| extend Spam = tostring(detection.Spam)
| extend Phish = tostring(detection.Phish)
| where (Spam == '["URL malicious reputation"]') or (Phish == '["URL malicious reputation"]') or (Phish == '["URL detonation reputation"]') or (Phish == '["URL detonation"]')
| join EmailUrlInfo on NetworkMessageId
| summarize total=count() by UrlDomain
| top 10 by total
| render columnchart
id: 27ee28e7-423b-48c9-a410-cbc6c8e21d25
name: Top 10 URL domains attacking organization
description: |
This query helps reviewing list of top 10 URL domains attacking the organization
description-detailed: |
This query helps reviewing list of top 10 URL domains attacking the organization using Defender for Office 365 data.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where ThreatTypes != ""
| extend detection= parse_json(DetectionMethods)
| extend Spam = tostring(detection.Spam)
| extend Phish = tostring(detection.Phish)
| where (Spam == '["URL malicious reputation"]') or (Phish == '["URL malicious reputation"]') or (Phish == '["URL detonation reputation"]') or (Phish == '["URL detonation"]')
| join EmailUrlInfo on NetworkMessageId
| summarize total=count() by UrlDomain
| top 10 by total
| render columnchart
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
EmailUrlInfo | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to download a legitimate software update from a known vendor domain (e.g., updates.microsoft.com).
Filter/Exclusion: Exclude URLs that match known internal or vendor domains using a custom list in the SIEM or EDR tool (e.g., Splunk, ELK, Microsoft Defender for Endpoint).
Scenario: A scheduled job runs nightly to fetch data from a cloud storage bucket (e.g., aws.s3.amazonaws.com) for backup purposes.
Filter/Exclusion: Exclude traffic to cloud storage endpoints using IP whitelisting or domain-based exclusion rules in the SIEM or firewall.
Scenario: An IT helpdesk tool (e.g., ServiceNow) is accessed via a URL like helpdesk.service-now.com by users during regular support tasks.
Filter/Exclusion: Add the domain to a whitelist in the endpoint detection and response (EDR) tool or firewall, or use user-based filtering to exclude helpdesk-related activity.
Scenario: A CI/CD pipeline (e.g., Jenkins) is accessing a public artifact repository (e.g., maven.org) to fetch dependencies.
Filter/Exclusion: Exclude known CI/CD tool domains using application-based filtering in the EDR or SIEM, or use process whitelisting for the CI/CD agent process.
Scenario: A remote desktop session (e.g., via RDP or TeamViewer) is connecting to an internal server, and the connection is routed through a public URL for tunneling.
Filter/Exclusion: Use IP geolocation or traffic pattern analysis to distinguish between legitimate tunneling and malicious activity, or apply **application-layer