Adversaries may use raw IP addresses as URL domains in phishing emails to bypass domain reputation checks and deliver malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing campaigns and malware distribution attempts that evade traditional detection mechanisms.
KQL Query
EmailUrlInfo
| where Timestamp > ago(30d)
| where UrlDomain matches regex @"^(25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)$"
| join kind=inner (
EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| project NetworkMessageId, SenderFromDomain, Subject, DeliveryAction,
RecipientEmailAddress, EmailDirection, ThreatTypes
) on NetworkMessageId
| project Timestamp, SenderFromDomain, UrlDomain, Url, DeliveryAction,
EmailDirection, ThreatTypes, Subject, RecipientEmailAddress
| order by Timestamp desc
id: 6492c4ea-5e56-4ceb-9974-3c0c39cb4d71
name: Raw IP Address Used as URL Domain
description: |
Detects delivered inbound emails with URLs that use a raw IPv4 address as the domain. This pattern often indicates phishing or malware delivery designed to evade domain-based reputation checks.
description-detailed: |
This query identifies delivered inbound emails containing URLs where the domain field is a
raw IPv4 address (four dotted-quad octets). It joins EmailEvents with EmailUrlInfo on
NetworkMessageId to enrich the URL with sender, subject, delivery action, and threat verdict.
Attack patterns detected:
- Phishing links pointing to compromised IP addresses with no domain registration trail
- Commodity malware delivery URLs that avoid DNS-based takedown
- Generic spam campaigns bypassing reputation filters via raw IP rotation
Tuning notes:
- Filter on EmailDirection == "Inbound" to exclude outbound security correspondence that
may legitimately reference raw IPs in vulnerability disclosures
- Maintain an allowlist of trusted security workflow mailboxes if outbound security
correspondence is a common false-positive source
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
- T1566.002
query: |
EmailUrlInfo
| where Timestamp > ago(30d)
| where UrlDomain matches regex @"^(25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)\.(25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)$"
| join kind=inner (
EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| project NetworkMessageId, SenderFromDomain, Subject, DeliveryAction,
RecipientEmailAddress, EmailDirection, ThreatTypes
) on NetworkMessageId
| project Timestamp, SenderFromDomain, UrlDomain, Url, DeliveryAction,
EmailDirection, ThreatTypes, Subject, RecipientEmailAddress
| order by Timestamp desc
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: UrlDomain
- entityType: URL
fieldMappings:
- identifier: Url
columnName: Url
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: RecipientEmailAddress
version: 1.0.1
metadata:
source:
kind: Community
author:
name: Ievgen Bondarenko
support:
tier: Community
categories:
domains: [ "Security - Threat Protection" ]
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
EmailUrlInfo | Ensure this data connector is enabled |
Scenario: Internal Monitoring Tool Sending Alerts via Email
Description: A security tool like Splunk or ELK Stack sends daily summary emails to administrators, including links to dashboards hosted on internal servers. These links may contain internal IP addresses as domains.
Filter/Exclusion: Exclude emails from known internal monitoring tools (e.g., from: [email protected]) or use a regex to filter out URLs containing internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
Scenario: Scheduled Job Generating Reports with Internal IPs
Description: A PowerShell or Python script runs nightly to generate reports and sends them via email. The script may include internal IP addresses in the report links for internal reference.
Filter/Exclusion: Exclude emails sent by scheduled jobs (e.g., from: [email protected]) or filter URLs containing internal IP ranges using a regex pattern.
Scenario: DNS Monitoring Tool Using IP Addresses as Domains
Description: A DNS monitoring tool like DNSWatch or OpenDNS may use raw IP addresses as domains for testing or logging purposes. These are legitimate and part of normal operations.
Filter/Exclusion: Exclude emails from known DNS monitoring tools or filter URLs that match the tool’s internal IP address ranges.
Scenario: Internal DevOps Pipeline with IP-based Testing
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) may include testing URLs that use internal IP addresses for load testing or internal service discovery.
Filter/Exclusion: Exclude emails from CI/CD systems (e.g., `from: