Convert DNSTwist Results to MDE IOCs then turn them into TenantAllowBlockLists ! This should run along aside Domain impersonation protection inside of Defender for Office (MDO).
Can block typosquatters, phishing attacks, fraud, and brand impersonation!
DeviceEvents
| where (ActionType == "SmartScreenUrlWarning" and AdditionalFields.Experience == "CustomBlockList") or (AdditionalFields.ResponseCategory == "CustomBlockList" and ActionType == "ExploitGuardNetworkProtectionBlocked")
| extend URL = replace_string(RemoteUrl,'.','[.]')
| summarize by URL, DeviceName,AccountName,InitiatingProcessAccountName
Install DNSTwist using
pip install dnstwist
Reference: https://github.com/elceef/dnstwist
File naming convention is DNSTwist+{thedate}.csv
No duplication checks between runs :) however MDE natively handles duplicates
Do not blindly upload, validate results before uploading
Domains can be whitelisted by adding to the whitelist variable
Extra domains to be twisted can be added to the domainsToTwist List
There is a limit of 500 IOCs per CSV in MDE, if you need to split out the IOCs, please see: https://github.com/jkerai1/SoftwareCertificates/blob/main/Bulk-IOC-CSVs/Scripts/MDE-IOC-Batch-Separator.py
Block The Domain in Tenant Allow Block List using the powershell script (sender domain and URL)
TABL does not support punycode (xn--) and MDE support for punycode is limited. Defender for Office's impersonation list is hidden but TABL blocks will verify explictly domain is blocked.
A good online punycode converter: https://www.punycoder.com/
JoeSandBox: https://github.com/jkerai1/JoeSandBoxToMDEBlockList
TLD: https://github.com/jkerai1/TLD-TABL-Block
Ransomwatch: https://github.com/jkerai1/RansomWatchToMDEIoC/tree/main