Detects a device launching a browser to visit a URL that contains a base64 encoded email address.
example:
Clicked url has hidden second stager url(s) and encoded user name that is passed to the phishing site
Related
AiTM phishing
Reference:
https://securelist.com/html-attachments-in-phishing-e-mails/106481/
{{ mitre("T1027") }}
Data Source(s): TBA
DeviceEvents
| where ActionType == "BrowserLaunchedToOpenUrl" and isnotempty(RemoteUrl)
| where base64_decode_tostring(extract(@".+http.*\%2F([A-Za-z0-9+\/]{6,}=?)", 1, RemoteUrl)) has_any (".gov", ".com")
- Sandbox link, or search second stager domain on https://urlscan.io/ for indication of phishing attacks
- If pfishing attack is confirmed check if user has exposed credentials
- Inspect logs for additional downloaded malware
- Reset user’s passwords and revoke session tokens if proven to be successful
Expected legitimate sites to use base64 to pass username
Version 1.0 (date: 11/10/2023)