What Changed
New hunting query targeting phishing campaigns that use raw IPv4 addresses as URL domains instead of registered domain names to evade DNS-based reputation filtering.
Detection Logic
Query joins EmailUrlInfo with EmailEvents on NetworkMessageId to detect delivered inbound emails containing URLs where UrlDomain field matches IPv4 regex pattern. Primary data sources are EmailEvents and EmailUrlInfo tables from Microsoft Threat Protection connector.
Core logic filters for:
- 30-day lookback window
- UrlDomain matching IPv4 dotted-quad regex pattern
- EmailDirection == “Inbound”
- DeliveryAction == “Delivered”
Entity mappings include IP (UrlDomain), URL (Url), and Account (RecipientEmailAddress).
MITRE Mapping
- T1566 (Phishing): Primary technique for initial access via malicious emails
- T1566.002 (Spearphishing Link): Specific sub-technique for URL-based phishing delivery
Affected Files
Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Phish/IP-as-URL-Domain-Detection.yaml