What Changed
Microsoft Defender XDR solution updated to v3.0.14 with new hunting query addition:
- Added: Punycode chars lookalike domains hunting query
- Solution packaging: Updated ARM templates and metadata for new content
Hunting Query Addition
The new hunting query targets Punycode character abuse in domain name attacks:
- Detection focus: Lookalike domains using Punycode (internationalized domain names) to impersonate legitimate sites
- Attack vector: Threat actors use visually similar Unicode characters to create deceptive domains (e.g., using Cyrillic “а” instead of Latin “a”)
- Data source: Likely targets Microsoft Defender for Endpoint DNS/web activity or email URL data
Security Impact (Threat Hunting)
Punycode abuse represents a significant phishing and brand impersonation threat:
- Visual deception: Unicode lookalike characters create domains that appear legitimate to users
- Detection gap: Traditional string-based blocking often misses Punycode variants
- Hunting capability: Enables proactive identification of suspicious internationalized domains in network traffic
Note: This PR references content from PR #13535. The actual hunting query logic is not visible in this packaging-only diff.
Affected Files
(packaging artefacts: 3.0.14.zip, ReleaseNotes.md, Solution_Microsoft Defender XDR.json, createUiDefinition.json, mainTemplate.json)