Cryptsus Blog rss-feed  |  We craft cyber security solutions.

Detect phishing attacks with Zscaler and Sentinel

By: Jeroen van Kessel  |  December 6th, 2022 | 5 min read

According to the security firm Cofense, 93% of breaches in 2021 involve a phishing attack. This number shows how prevalent the risk of phishing remains, and that we as a security industry did not mitigate this problem. This blog post explains a phishing use-case when Microsoft Defender for 365 did not detect or quarantine a malicious phishing e-mail (in time). Zscaler can see possible malicious phishing URLs based on website category, ThreatLabz, and other metrics. By leveraging this information and a count of users visiting a flagged URL within a one hour timeframe, we can identify a possible undetected phishing campaign in Sentinel SIEM.

Scenario

Let's say your organization is a target of a phishing campaign. This means multiple users can receive phishing mails if the malicious e-mails are not quarentined. The picture below is an example of a malicious phishing e-mail. The "review recent activity" button does not direct you to a Microsoft page, but to a malicious website through https://bit.ly URL shortening services. In this case, Microsoft Defender M365 did not flag or quarantine this malicious mail:

phishing-email
Figure 1: Undetected malicious phishing e-mail. Source: phishing.org

If the Zscaler ZIA endpoint agent is active on a system, it can keep track of all visited URLs. This way, we can create a KQL query to keep track of all links, which could be a security risk. In this case, when three or more employees click on the phishing bit.ly link - Sentinel SIEM will create an alert.

//Default Sentinel ZIA parser
_ASim_WebSession_ZscalerZIAV03()
//Filter on possible phishing links
| where urlclass == "Advanced Security Risk"
//Only output unique entries within the last hour
| distinct User, RequestURL, UrlCategory, DeviceEventClassID, EventOriginalResultDetails, ThreatName ,RuleName, NetworkApplicationProtocol, ThreatRiskLevel, bin(TimeGenerated, 1h)
//Only generate an alert if 3 or more users clicked on a possible phishing link
| summarize Clicks = make_list(User), dcount(User) by RequestURL, UrlCategory, DeviceEventClassID, EventOriginalResultDetails, ThreatName ,RuleName, NetworkApplicationProtocol, ThreatRiskLevel, bin(TimeGenerated, 1h)
| project TimeGenerated, dcount_User, RequestURL, NetworkApplicationProtocol, DeviceEventClassID, EventOriginalResultDetails, ThreatRiskLevel, UrlCategory, ThreatName, RuleName, Clicks
//The amount of users depends on the size of your organization. Increase this number accordingly.
| where dcount_User >= 3

You can also find this Sentinel SIEM KQL query on GitHub.

zscaler-sentinel-siem
Figure 2: Zscaler threat hunting detection rule for phishing in Sentinel SIEM

Next, an incident response investigation can be started by the SOC team, depending on the nature of the attack and possible victims.

There is a GAP though - users who clicked on the phishing link on their smartphones or tablets. Furthermore, targetted phishing attacks might not fall under the threshhold count within the KQL query. Moreover, newely registered domains, or subdomains and FDQNs of trusted domains are not queried in this use-case.

SIEM use case goal: detect phishing campaigns which did not get blocked or detected by Microsoft 365 or Google Workspace.

Many other use cases and alerts can be created based on your environment and business risks. Are you missing important alerts? Is your SIEM outdated? Contact us if you want to take your SIEM to the next level.

Discussion and questions