Qakbot adversaries are using Craigslist domains to host malicious links in phishing emails, attempting to deceive users into interacting with compromised infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate Qakbot campaign activity before it leads to credential theft or lateral movement.
KQL Query
DeviceNetworkEvents
| where RemoteUrl matches regex @"abuse\.[a-zA-Z]\d{2}-craigslist\.org"
id: 44b525e1-a1dd-483c-9f45-e5e4a9ccf5ee
name: Qakbot Craigslist Domains
description: |
Qakbot operators have been abusing the Craigslist messaging system to send malicious emails. These emails contain non-clickable links to malicious domains impersonating Craigslist, which the user is instructed to manually type into the address bar to access.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics:
- Initial access
query: |
DeviceNetworkEvents
| where RemoteUrl matches regex @"abuse\.[a-zA-Z]\d{2}-craigslist\.org"
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for Email Archiving
Description: A scheduled job using Microsoft Exchange Online Archiving or Microsoft 365 Message Archiving is processing emails and inadvertently triggering the rule due to the presence of “Craigslist” in the email subject or body.
Filter/Exclusion: Exclude emails where the sender is a known internal archiving service account (e.g., [email protected]) or filter by the X-MS-Exchange-Organization-Message-Id header to identify system-generated emails.
Scenario: Internal Help Desk Sending Test Emails
Description: The Help Desk team uses ServiceNow or Zendesk to send test emails to users, which may include the word “Craigslist” in the subject line as part of a test scenario.
Filter/Exclusion: Exclude emails from known help desk service accounts (e.g., [email protected]) or filter by the presence of a test flag in the email headers (e.g., X-Test-Email: Yes).
Scenario: Automated Email Campaigns with “Craigslist” in Subject Line
Description: A marketing team using Mailchimp or HubSpot sends out email campaigns that include “Craigslist” in the subject line as part of a promotional message (e.g., “Craigslist Deals for You!”).
Filter/Exclusion: Exclude emails from known marketing domains or filter by the presence of a campaign ID in the email headers (e.g., X-Campaign-ID: 12345).
Scenario: Internal System Notifications with “Craigslist” in Message Body
Description: An internal system like ServiceNow or Jira sends notifications to users that include the word “Craigslist” in the message