let my_domain = @"@example.com"; // update this line
EmailUrlInfo
| where Url contains @"=http" and Url endswith my_domain
| extend RedirectToUrl = extract(@"(=http.+)",1, Url)
| extend RedirectToUrl = substring(RedirectToUrl, 1)
| extend RedirectToUrl = url_decode(RedirectToUrl)
| extend RedirectToDomain = extract(@"(http.+\/\/.+?)(\/)", 1, RedirectToUrl)
| extend TargetedAccount = tostring(split(RedirectToUrl, "/")[-1])
| extend TargetedAccount = extract(@"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b", 0, TargetedAccount)
| extend RedirectFromDomain = UrlDomain
| join kind=leftouter EmailEvents on $left.NetworkMessageId == $right.NetworkMessageId
| summarize arg_max(Timestamp, *) by NetworkMessageId
| summarize FirstSeen = min(Timestamp),
LastSeen = max(Timestamp),
CountOfRedirectToDomain = dcount(tostring(RedirectToDomain)),
NumberOfEmails = dcount(NetworkMessageId),
CountOfTargetAccounts = dcount(tostring(TargetedAccount)),
OriginalUrlList = make_set(Url),
RedirectToUrlList = make_set(RedirectToUrl),
RedirectToDomainList = make_set(RedirectToDomain),
TargetAccountList = make_set(TargetedAccount),
Delivered = countif(LatestDeliveryAction == "Delivered"),
Blocked = countif(LatestDeliveryAction == "Blocked"),
Qurantined = countif(LatestDeliveryAction contains "quarantine"),
Deleted = countif(LatestDeliveryAction contains "delete"),
Junked = countif(LatestDeliveryAction contains "junked"),
Other = countif(LatestDeliveryAction !contains "quarantine" and LatestDeliveryAction !contains "delete" and LatestDeliveryAction !contains "junked" and LatestDeliveryAction != "Blocked")
by RedirectFromDomain
| order by CountOfRedirectToDomain, CountOfTargetAccounts
| project-reorder FirstSeen, LastSeen, RedirectFromDomain, NumberOfEmails, CountOfRedirectToDomain, CountOfTargetAccounts
-
Notifications
You must be signed in to change notification settings - Fork 0
hjorrip/Email-Redirect-Phishing-Hunt
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
About
No description, website, or topics provided.
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published