Files

T

Terrance DeJesus b0ca02605f [New Hunt] Potential Spoofed microsoftonline.com via Fuzzy Match (#4770 )

* new hunt for spoofed MSFT domains

* added lookback time to ESQL query

2025-06-26 12:38:48 -04:00

3.7 KiB

Raw Blame History

Potential Spoofed `microsoftonline.com` via Fuzzy Match

Metadata

Author: Elastic
Description: This hunting query identifies potential spoofed domain activity targeting Microsoft online services by detecting fuzzy matches to the domain microsoftonline.com. The approach uses approximate string matching (fuzziness) on domain and URL fields, then scores each result by similarity. A static confidence threshold is applied to filter out high-confidence legitimate matches while surfacing potential typosquats and lookalikes.

This technique is useful for identifying phishing campaigns, misconfigured infrastructure, or domain squatting activity targeting Microsoft users and applications. It relies on string similarity scoring and known-good domain exclusions to reduce false positives and focus the hunt on medium- to high-risk spoofed domains.

UUID: e912f5c6-eed3-11ef-a5d7-6f9f7a1e2e00
Integration: endpoint, network_traffic, system, azure, o365, windows
Language: [ES|QL]
Source File: Potential Spoofed microsoftonline.com via Fuzzy Match

Query

FROM logs-* METADATA _score
| WHERE (
    url.domain IS NOT NULL OR
    url.original IS NOT NULL OR
    destination.domain IS NOT NULL OR
    dns.question.name IS NOT NULL
)
| EVAL domain = COALESCE(url.domain, url.original, destination.domain, dns.question.name)::STRING
| WHERE NOT(
    domain RLIKE "^(login|portal|api)\\.microsoftonline\\.com$" OR
    domain RLIKE ".*\\.onmicrosoft\\.com$" OR
    domain == "microsoftonline.com")
| WHERE (
    match(url.domain, "microsoftonline.com", { "fuzziness": "AUTO", "max_expansions": 10 }) OR
    match(url.original, "microsoftonline.com", { "fuzziness": "AUTO", "max_expansions": 10 }) OR
    match(destination.domain, "microsoftonline.com", { "fuzziness": "AUTO", "max_expansions": 10 }) OR
    match(dns.question.name, "microsoftonline.com", { "fuzziness": "AUTO", "max_expansions": 10 })
)
| EVAL confidence = CASE(
    _score >= 5.999, "low",
    _score > 4, "medium",
    "high"
)
| WHERE confidence != "low"
   OR domain IN ("micsrosoftonline.com", "outlook-office.micsrosoftonline.com")
| SORT _score DESC
| KEEP @timestamp, source.ip, user.id, domain, _score, confidence

Notes

Investigate domains that resemble microsoftonline.com but have slight character substitutions (e.g., micros0ftonline.com, m1crosoftonline.com).
Fuzzy matching assigns a _score based on edit distance. Higher scores mean a closer match to the legitimate domain.
Only medium- and high-confidence results are surfaced by excluding _score >= 6, which usually represents exact or near-exact matches.
Legitimate Microsoft domains like login.microsoftonline.com, portal.microsoftonline.com, and tenant domains ending in .onmicrosoft.com are excluded from results to reduce noise.
Results are ranked by _score DESC and tagged with a confidence level: low, medium, or high.
This query is best used interactively during hunts and may require tuning for specific environments with high Microsoft traffic.

MITRE ATT&CK Techniques

References

https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/

License

Elastic License v2

3.7 KiB Raw Blame History

Potential Spoofed microsoftonline.com via Fuzzy Match