Adversaries may use open redirector URLs in phishing emails to bypass security controls and deliver malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential phishing campaigns that evade standard detection mechanisms.
KQL Query
EmailUrlInfo
| where Url matches regex @"s?\:\/\/(?:www\.)?t\.(?:[\w\-\.]+\/+)+(?:r|redirect)\/?\?"
id: c73911ab-bcc0-4add-9963-597d2fb74488
name: PhishingEmailUrlRedirector
description: |
This query was originally published on Twitter, by @MsftSecIntel.
The query helps detect emails associated with a campaign that has used open redirector URLs. The campaign's URLs begin with the distinct pattern, hxxps://t. Attackers use URL redirection to manipulate users into visiting a malicious website or to evade detection.
Reference - https://twitter.com/MsftSecIntel
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailUrlInfo
tactics:
- Initial access
query: |
EmailUrlInfo
| where Url matches regex @"s?\:\/\/(?:www\.)?t\.(?:[\w\-\.]+\/+)+(?:r|redirect)\/?\?"
| Sentinel Table | Notes |
|---|---|
EmailUrlInfo | Ensure this data connector is enabled |
Scenario: Legitimate URL Shortener Usage
Description: Employees may use URL shortening services like Bitly or TinyURL for internal links, which could be flagged as open redirectors.
Filter/Exclusion: Exclude URLs that contain known shortening domains (e.g., bit.ly, tinyurl.com) or use a custom domain registered by the organization.
Scenario: Scheduled Job or Automation Script
Description: A scheduled job or automation script (e.g., using PowerShell, Python, or Ansible) may generate or send emails with redirect URLs for internal purposes, such as sending reports or updates.
Filter/Exclusion: Exclude emails sent from known automation accounts (e.g., [email protected]) or those with a specific subject line or header indicating automation.
Scenario: Internal Phishing Training Simulation
Description: Security teams may run phishing simulations using tools like PhishMe or KnowBe4, which include fake URLs that mimic phishing attempts.
Filter/Exclusion: Exclude emails from known training domains (e.g., [email protected]) or those with a specific “simulate” or “training” tag in the subject line.
Scenario: Admin Task with External Monitoring Tools
Description: System administrators may use external monitoring tools like Splunk, Datadog, or Prometheus to send alerts via email, which may include URLs for dashboards or logs.
Filter/Exclusion: Exclude emails sent from admin accounts (e.g., [email protected]) or those containing specific monitoring tool identifiers in the body or headers.
Scenario: Cloud Service Integration with Redirect URLs
Description: Integration with cloud services like Azure AD or Okta may involve redirect URLs for SSO, which are legitimate but could be flagged by the rule.
Filter/Exclusion: Exclude URLs that match known cloud service