π‘️ Detecting RDP Phishing Attacks in Microsoft Sentinel
π‘️ Detecting RDP Phishing Attacks in Microsoft Sentinel
Author: CyberHawk Consultancy | Date: August 2025
π Introduction
In light of campaigns like the Midnight Blizzard spear-phishing attack, detecting RDP-based phishing has become a crucial capability. Unlike traditional attachments, the use of .RDP files introduces new evasion techniques by leveraging trusted protocols and signed configuration files.
This blog walks through how to detect a full RDP phishing attack chain using Microsoft Sentinel and KQL:
- π© Delivery of the .RDP file via email
- ⚙️ Execution of the RDP file by the user (via mstsc.exe)
- π RDP session established to attacker-controlled infrastructure
π Phase 1: Detect RDP File Sent via Email
π― Objective
Identify if a .RDP file was delivered to an end user as an email attachment.
π§ KQL Query
// Search emails with RDP attachments
EmailAttachmentInfo
| where FileName endswith ".rdp"
| join kind=inner (
EmailEvents
| where Timestamp > ago(7d)
) on NetworkMessageId
| project Timestamp, RecipientEmailAddress, SenderFromAddress, Subject, FileName, AttachmentId
π️ Explanation
- EmailAttachmentInfo: Table that logs email attachments scanned by Defender for Office 365.
- .rdp extension: Looks for RDP config files.
- Join on NetworkMessageId: Correlates the attachment with the parent email message.
π Phase 2: Detect User Opening RDP File
π― Objective
Identify if the user opened the .RDP file via mstsc.exe or RDCMan.exe.
π§ KQL Query
// Detect execution of .rdp files by mstsc.exe
DeviceProcessEvents
| where InitiatingProcessFileName has ".rdp"
| where FileName in~ ("mstsc.exe", "RDCMan.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, CommandLine, AccountName
π️ Explanation
- DeviceProcessEvents: Captures process creation activity from Defender for Endpoint.
- InitiatingProcessFileName has ".rdp": Filters cases where an RDP file was the origin.
- mstsc.exe / RDCMan.exe: Common programs that launch RDP sessions.
π Phase 3: RDP Connection to Attacker-Controlled Host
π― Objective
Find RDP sessions that initiated outbound connections to suspicious or unknown public IPs.
π§ KQL Query
// Detect RDP (port 3389) outbound to external IPs
DeviceNetworkEvents
| where RemotePort == 3389
| where ActionType == "ConnectionSuccess"
| where RemoteIPType == "Public"
| project Timestamp, DeviceName, RemoteIP, InitiatingProcessFileName, InitiatingProcessCommandLine
π️ Explanation
- RemotePort == 3389: Default port for RDP sessions.
- RemoteIPType == "Public": Ensures this is not an internal corporate host.
- ConnectionSuccess: Confirms the session was established.
π You can also enrich this with ThreatIntelligenceIndicator for IOC matching:
let iocs = ThreatIntelligenceIndicator
| where Description has "APT29" or ThreatType == "MaliciousIP"
| summarize by NetworkIP;
DeviceNetworkEvents
| where RemoteIP in (iocs)
| where RemotePort == 3389
π§ Optional: Build End-to-End Attack Chain Detection
You can chain all 3 phases using a combination of join and summarize by DeviceName or AccountName within a defined time window.
// Correlate RDP Email + Execution + Outbound
let emails = EmailAttachmentInfo
| where FileName endswith ".rdp"
| join kind=inner (
EmailEvents
| where Timestamp > ago(7d)
) on NetworkMessageId
| project EmailTime=Timestamp, RecipientEmailAddress, FileName;
let executions = DeviceProcessEvents
| where FileName in~ ("mstsc.exe", "RDCMan.exe")
| project ExecTime=Timestamp, AccountName, DeviceName, CommandLine;
let connections = DeviceNetworkEvents
| where RemotePort == 3389 and RemoteIPType == "Public"
| project ConnTime=Timestamp, DeviceName, RemoteIP;
emails
| join kind=inner (executions) on $left.RecipientEmailAddress == $right.AccountName
| join kind=inner (connections) on $left.DeviceName == $right.DeviceName
| where ExecTime between (EmailTime .. EmailTime + 1h)
| where ConnTime between (ExecTime .. ExecTime + 30m)
| project EmailTime, ExecTime, ConnTime, RecipientEmailAddress, DeviceName, RemoteIP, CommandLine
π Result
This gives you a full timeline showing:
- π§ Who received the RDP file
- ⚙️ Who executed it
- π What remote server they connected to
π§° References & Further Reading
- Microsoft: Midnight Blizzard RDP Campaign
- Microsoft Sentinel Documentation
- Threat Intelligence in Office 365
π’ Conclusion
This detailed detection guide helps you hunt the full attack chain of RDP-based spear phishing campaigns in Microsoft Sentinel.
By combining email telemetry, process execution logs, and network traffic data — defenders can proactively detect and disrupt stealthy campaigns like those orchestrated by Midnight Blizzard.
π‘ Tip: Automate these detections via analytic rules and surface alerts in Sentinel dashboards or Logic Apps.
π¦
CyberHawk Consultancy
They can't exploit you if you are the exploit.
Comments
Post a Comment