Office 365 ATP Safe Links stops phishing and other email threats by modifying original links on emails to a URL in, with the original URL provided as a query parameter. Step 3: Consider Office 365 ATP Safe Links time-of-click verification Our results have grown by a factor of 10 to 22,293 rows. | where FileOriginUrl = MailLink or FileOriginReferrerUrl = MailLink We take this line: | join kind= inner (emailLinks) on ComputerName, $left.FileOriginUrl = $right.MailLinkĪnd modify it as follows: | join kind= inner (emailLinks) on ComputerName Let’s take the previous query and modify the join to support a match on either the FileOriginUrl or FileOriginReferrerUrl column. To cover such cases, we also check if the FileOriginReferrerUrl matches the email link. More often than not, an email contains a link to a page, and from there the user clicks on the download link. Our previous query returned only email links pointing directly to the downloads. But maybe there is something we have missed? This is a decent number of results, though a reasonable one to start slicing and dicing. On a reasonably large tenant, we got 2,404 results. | join kind= inner (emailLinks) on ComputerName, $left.FileOriginUrl = $right.MailLink | project FileName, FileOriginUrl, FileOriginReferrerUrl, ComputerName, EventTime, SHA1 | where isnotempty(FileOriginUrl) and InitiatingProcessFileName in~ ( "chrome.exe", "browser_broker.exe") | project ComputerName, MailLink=RemoteUrl | where ActionType = "BrowserLaunchedToOpenUrl" and isnotempty(RemoteUrl) and InitiatingProcessFileName =~ "outlook.exe" MiscEvents // Filter on link clicks from Outlook (do case insensitive match using =~) We could join two events by matching the email link URL with the download URL ( FileOriginUrl). Let’s start by looking for downloaded files that originate from links sent via email. Step 1: Look for email links that result in browser downloads If you haven’t tried advanced hunting yet, sign up for a free Windows Defender ATP trial and experience how fast and convenient it is to hunt for possible breach activities in your network. In this August post, we are going to build on top of that and discuss more complex queries that join several noisy signals into stronger signals that you can use to hunt. In our July hunting tip, we shared a few advanced hunting queries based on browser download events and explained in depth where this data is from and what it means.
0 Comments
Leave a Reply. |