T1534

Internal Spearphishing

Adversaries who have already compromised an account or system may abuse the trusted internal identity to send phishing messages to other users within the same organization. Because the message originates from a known colleague, recipients are far more likely to open attachments, click links, or provide credentials. Campaigns typically combine a compromised mailbox or chat account with a weaponized attachment, a credential-harvesting link, or a malicious macro-enabled document. Real-world actors include Gamaredon (Outlook VBA module auto-sending phishing to contacts), Kimsuky (stolen credentials reused for internal mail), Leviathan/APT40, and HEXANE. Detection surfaces include anomalous send volume or recipient patterns from an internal account, Outlook spawning suspicious child processes (macro execution), Microsoft Teams delivering external URLs or files, and mass-BCC or reply-all abuse patterns.

Microsoft Sentinel / Defender

kusto

// --- Signal 1: Outlook spawning suspicious child processes (VBA macro execution)
let OutlookMacroParents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "outlook.exe"
| where FileName in~ (
    "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
    "bitsadmin.exe", "msiexec.exe", "wmic.exe", "curl.exe", "wget.exe"
  )
| extend Signal = "OutlookMacroChildProcess"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, Signal;
// --- Signal 2: Anomalous internal email send volume (Office 365 OfficeActivity)
let HighVolumeSend = OfficeActivity
| where TimeGenerated > ago(24h)
| where Operation == "Send"
| where UserId !endswith "#EXT#"
| extend SenderDomain = tostring(split(UserId, "@")[1])
| summarize EmailsSent=count(), UniqueRecipients=dcount(tostring(Parameters)),
            FirstSend=min(TimeGenerated), LastSend=max(TimeGenerated)
  by UserId, SenderDomain, bin(TimeGenerated, 1h)
| where EmailsSent > 20
| extend Signal = "HighVolumeInternalSend"
| project TimeGenerated=FirstSend, UserId, SenderDomain, EmailsSent, UniqueRecipients, Signal;
// --- Signal 3: Teams messages containing suspicious external links
let TeamsSuspiciousLinks = OfficeActivity
| where TimeGenerated > ago(24h)
| where RecordType == "MicrosoftTeams"
| where Operation in ("MessageCreatedHasLink", "MessageUpdatedHasLink", "MessagesListed")
| where isnotempty(tostring(ExtraProperties))
| extend MsgContent = tostring(ExtraProperties)
| where MsgContent has_any (
    "http://", "https://",
    ".zip", ".exe", ".lnk", ".iso", ".vbs", ".js", ".hta"
  )
| where MsgContent !has "microsoft.com" and MsgContent !has "sharepoint.com"
        and MsgContent !has "teams.microsoft.com"
| extend Signal = "TeamsSuspiciousLinkOrFile"
| project TimeGenerated, UserId, ClientIP, MsgContent, Signal;
// --- Union all signals
OutlookMacroParents
| union kind=outer (HighVolumeSend | project Timestamp=TimeGenerated, DeviceName="", AccountName=UserId,
  FileName="", ProcessCommandLine=strcat("EmailsSent:", tostring(EmailsSent)), 
  InitiatingProcessFileName="OfficeActivity", InitiatingProcessCommandLine="", Signal)
| union kind=outer (TeamsSuspiciousLinks | project Timestamp=TimeGenerated, DeviceName="",
  AccountName=UserId, FileName="", ProcessCommandLine=MsgContent,
  InitiatingProcessFileName="TeamsActivity", InitiatingProcessCommandLine="", Signal)
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Application Log: Office 365 Audit Logs Network Traffic: Network Connection Creation Microsoft Defender for Endpoint Microsoft 365 OfficeActivity

Required Tables

DeviceProcessEvents OfficeActivity

False Positives

Legitimate marketing or HR mass-email campaigns using a shared internal account that sends newsletters or announcements to all staff
Automated IT notification systems (monitoring alerts, ticketing systems, patch notifications) sending bulk emails from a service account
Outlook VBA macros used by finance or legal teams for legitimate templated document workflows spawning cmd.exe or wscript.exe
IT administrators sending automated onboarding emails via PowerShell scripts authenticated as their own account
Microsoft Teams bots or connectors posting messages with external links as part of approved integrations (e.g., GitHub notifications, JIRA updates)

Splunk

spl

| union
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    ParentImage="*\\outlook.exe"
    (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe"
     OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\mshta.exe"
     OR Image="*\\rundll32.exe" OR Image="*\\regsvr32.exe" OR Image="*\\certutil.exe"
     OR Image="*\\curl.exe" OR Image="*\\wget.exe")
  | eval Signal="OutlookMacroChildProcess"
  | eval Actor=User
  | eval Detail=CommandLine
  | table _time, host, Actor, Signal, Image, Detail, ParentImage, ParentCommandLine
]
[
  search index=o365 sourcetype="o365:management:activity" Operation="Send"
  | eval SenderDomain=mvindex(split(UserId,"@"),1)
  | bucket _time span=1h
  | stats count as EmailsSent, dc(eval(if(isnotnull(ClientIP),ClientIP,""))) as UniqueRecipients
    by _time, UserId, SenderDomain
  | where EmailsSent > 20
  | eval Signal="HighVolumeInternalSend"
  | eval Actor=UserId
  | eval Detail=EmailsSent." emails in 1h"
  | table _time, Actor, Signal, Detail, EmailsSent, UniqueRecipients
]
[
  search index=o365 sourcetype="o365:management:activity"
    (RecordType="MicrosoftTeams" OR RecordType="14")
    (Operation="MessageCreatedHasLink" OR Operation="MessageCreatedHasAttachment" OR Operation="MessageUpdated")
  | eval MsgContent=coalesce(ChatName, MessageContent, ExtraProperties)
  | where match(MsgContent, "(?i)(https?://|\.(zip|exe|lnk|iso|vbs|js|hta|bat|ps1))")
  | where NOT match(MsgContent, "(?i)(microsoft\.com|sharepoint\.com|teams\.microsoft\.com|office\.com)")
  | eval Signal="TeamsSuspiciousLinkOrFile"
  | eval Actor=UserId
  | eval Detail=MsgContent
  | table _time, Actor, Signal, Detail, ClientIP
]
| eval SuspicionScore=case(
    Signal="OutlookMacroChildProcess", 3,
    Signal="HighVolumeInternalSend", 2,
    Signal="TeamsSuspiciousLinkOrFile", 2,
    true(), 1
  )
| sort - SuspicionScore, - _time

high severity medium confidence

Data Sources

Process: Process Creation Application Log: Office 365 Audit Logs Sysmon Event ID 1 Microsoft Teams Activity Logs

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational o365:management:activity

False Positives

Bulk internal communications tools (HR systems, ticketing platforms) sending >20 emails/hour through a shared service account
Legitimate Outlook VBA macros used for business workflow automation (invoice generation, templated responses) that spawn wscript.exe or cmd.exe
Microsoft Teams integrations posting external links from approved bots such as GitHub, JIRA, PagerDuty, or ServiceNow connectors
IT automation accounts sending system notifications or patch management emails during maintenance windows
Finance or legal staff running legitimate mail-merge campaigns from Outlook using a macro-enabled template

Elastic Security (EQL)

eql

// Signal 1: Outlook spawning suspicious child processes (macro execution)
sequence by host.id with maxspan=5m
  [process where event.type == "start"
   and process.parent.name : "outlook.exe"
   and process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe",
                        "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe",
                        "certutil.exe", "bitsadmin.exe", "msiexec.exe", "wmic.exe",
                        "curl.exe", "wget.exe")]

// Signal 2: Anomalous internal email send volume — use separate query
// Query 2 (run independently): High volume O365 send events via filebeat/o365 module
// index: filebeat-*, index pattern: o365*
// from o365.audit where event.action == "Send"
// | stats count() by user.email, @timestamp

// Signal 3: Outlook macro child process (primary actionable EQL)
process where event.type == "start"
  and process.parent.name : "outlook.exe"
  and process.name : (
    "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe",
    "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe",
    "certutil.exe", "bitsadmin.exe", "msiexec.exe", "wmic.exe",
    "curl.exe", "wget.exe", "msiexec.exe"
  )

high severity high confidence

Data Sources

Elastic Endpoint (endpoint.events.process) Filebeat O365 module (o365.audit) Elastic SIEM — Windows process events via Winlogbeat or Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-o365.audit-* winlogbeat-*

False Positives

Outlook add-ins or plugins that legitimately spawn PowerShell for calendar sync, meeting automation, or CRM integration (e.g., Salesforce Outlook plugin running PowerShell for data sync).
IT-managed Outlook macros for internal workflow automation (e.g., auto-routing tickets, generating reports) that invoke cmd.exe or wscript.exe with known-good scripts.
Marketing or HR bulk email campaigns sent from internal distribution accounts during open enrollment or all-hands announcements may trigger the high-volume send signal.

IBM QRadar (AQL)

sql

-- Signal 1: Outlook spawning suspicious child processes (Sysmon EventID 1)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  "ParentImage",
  "Image",
  "CommandLine",
  'OutlookMacroChildProcess' AS signal
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Windows%'
  AND QIDNAME(qid) ILIKE '%Process Create%'
  AND "ParentImage" ILIKE '%\\outlook.exe'
  AND (
    "Image" ILIKE '%\\cmd.exe' OR
    "Image" ILIKE '%\\powershell.exe' OR
    "Image" ILIKE '%\\pwsh.exe' OR
    "Image" ILIKE '%\\wscript.exe' OR
    "Image" ILIKE '%\\cscript.exe' OR
    "Image" ILIKE '%\\mshta.exe' OR
    "Image" ILIKE '%\\rundll32.exe' OR
    "Image" ILIKE '%\\regsvr32.exe' OR
    "Image" ILIKE '%\\certutil.exe' OR
    "Image" ILIKE '%\\bitsadmin.exe' OR
    "Image" ILIKE '%\\curl.exe' OR
    "Image" ILIKE '%\\wget.exe'
  )
  AND starttime > NOW() - 86400000

UNION

-- Signal 2: High-volume internal email send (O365 audit logs)
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS event_time,
  'O365-AuditLog' AS log_source,
  username,
  'O365-Send' AS "ParentImage",
  CONCAT(CAST(COUNT(*) AS VARCHAR), ' emails/hr') AS "Image",
  CONCAT('UniqueRecipients:', CAST(COUNT(DISTINCT destinationip) AS VARCHAR)) AS "CommandLine",
  'HighVolumeInternalSend' AS signal
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Office 365%'
  AND QIDNAME(qid) ILIKE '%Send%'
  AND username NOT ILIKE '%#EXT#%'
  AND starttime > NOW() - 86400000
GROUP BY
  username,
  DATEFORMAT(starttime, 'YYYY-MM-dd HH')
HAVING COUNT(*) > 20

ORDER BY event_time DESC

high severity medium confidence

Data Sources

Windows Security/Sysmon events (via QRadar WinCollect or DSM) Microsoft Office 365 audit logs (via O365 DSM) QRadar Network Activity (flows) for supplemental context

Required Tables

events (QRadar normalized event store) flows (QRadar network flow store — supplemental)

False Positives

Outlook COM add-ins (e.g., DocuSign, Zoom, Teams plugin) may legitimately cause outlook.exe to spawn rundll32.exe or msiexec.exe during updates or feature initialization.
HR or IT bulk notification campaigns (password reset notices, benefits enrollment, system maintenance alerts) sent from shared service accounts will exceed the 20-email threshold.
Legal or compliance teams sending mass disclosure or policy acknowledgment emails from internal accounts during regulatory events may appear as high-volume senders.

Sumo Logic CSE

sql

// Signal 1: Outlook macro child process execution
(_sourceCategory="windows/sysmon" OR _sourceCategory="endpoint/windows/process")
| where EventID = "1"
| parse field=ParentImage "*\\*" as parentDir, parentBin nodrop
| where parentBin = "outlook.exe"
| parse field=Image "*\\*" as procDir, procBin nodrop
| where procBin in ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe",
                    "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe",
                    "certutil.exe", "bitsadmin.exe", "msiexec.exe", "wmic.exe",
                    "curl.exe", "wget.exe")
| fields _messageTime, Computer, User, procBin, CommandLine, ParentImage, ParentCommandLine
| concat("OutlookMacroChildProcess: ", procBin, " | ", CommandLine) as signal_detail

// Signal 2: High-volume internal email send (run as separate search against O365 source)
// (_sourceCategory="o365" OR _sourceCategory="microsoft/o365")
// | json field=_raw "Operation", "UserId", "ClientIP" nodrop
// | where Operation = "Send"
// | where !(UserId matches "*#EXT#*")
// | parse field=UserId "*@*" as localPart, senderDomain
// | timeslice 1h
// | count as EmailsSent, dcount(ClientIP) as UniqueIPs by UserId, senderDomain, _timeslice
// | where EmailsSent > 20
// | concat("HighVolumeInternalSend: ", UserId, " sent ", EmailsSent, " in 1h") as signal_detail

// Signal 3: Teams suspicious link delivery
// (_sourceCategory="o365" OR _sourceCategory="microsoft/teams")
// | json field=_raw "Operation", "UserId", "ExtraProperties" nodrop
// | where Operation in ("MessageCreatedHasLink", "MessageUpdatedHasLink")
// | where ExtraProperties matches "(?i)(https?://|\.(?:zip|exe|lnk|iso|vbs|js|hta|bat|ps1))"
// | where !(ExtraProperties matches "(?i)(microsoft\.com|sharepoint\.com|teams\.microsoft\.com)")
// | concat("TeamsSuspiciousLink: ", UserId, " | ", ExtraProperties) as signal_detail

| count as EventCount by Computer, User, signal_detail
| sort by EventCount desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector — Windows Sysmon (Event ID 1) Sumo Logic Cloud-to-Cloud O365 Source (Management Activity API) Sumo Logic Microsoft Teams audit logs

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=o365 _sourceCategory=microsoft/teams

False Positives

Outlook integrated workflows using VBScript or PowerShell for legitimate business automation (e.g., IT service desk macros, automated reporting pipelines initiated from Outlook).
Mass internal communications during corporate events such as earnings announcements, RIF notifications, or all-staff policy changes sent from executive or HR shared mailboxes.
Microsoft Teams bots or integration webhooks that post links to external file storage (Box, Dropbox, GitHub) may match the suspicious link pattern if the domain is not in the allowlist.

Google Chronicle / SecOps

yaral

rule T1534_Internal_Spearphishing {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects internal spearphishing (T1534): Outlook spawning LOLBin child processes indicating VBA macro execution from a compromised internal mailbox, and anomalous internal email send volume."
    mitre_attack_tactic = "Lateral Movement"
    mitre_attack_technique = "T1534"
    severity = "HIGH"
    confidence = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1534/"

  events:
    // Signal 1: Outlook spawning suspicious child process
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)\\outlook\.exe$/
    $e.target.process.file.full_path = /(?i)\\(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msiexec|wmic|curl|wget)\.exe$/
    $host = $e.principal.hostname
    $user = $e.principal.user.userid

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM — PROCESS_LAUNCH events (Windows Sysmon or MDE telemetry) Chronicle UDM — EMAIL_TRANSACTION events (O365 ingestion feed) Chronicle Ingestion: Microsoft Windows Defender ATP, Sysmon, or Google Workspace

Required Tables

UDM events (PROCESS_LAUNCH type) UDM events (EMAIL_TRANSACTION type — for volume anomaly variant) UDM events (NETWORK_HTTP type — for Teams link delivery variant)

False Positives

Legitimate Outlook COM add-ins (Zoom, DocuSign, Salesforce) that cause outlook.exe to spawn rundll32.exe or powershell.exe during initialization or feature updates in enterprise environments.
Internal IT macro-enabled Excel/Word templates distributed via email that, when opened from Outlook, invoke PowerShell or cmd.exe for license validation or data population.
Bulk email campaigns sent by marketing automation tools operating under shared internal mailbox credentials during product launches, webinar invitations, or compliance notifications.

CrowdStrike LogScale (CQL)

cql

// Signal 1: Outlook spawning suspicious child processes (macro execution)
// Uses Falcon ProcessRollup2 events
#event_simpleName = "ProcessRollup2"
| ParentBaseFileName = "outlook.exe"
| FileName = /^(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msiexec|wmic|curl|wget)\.exe$/i
| table([_time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine])
| eval Signal = "OutlookMacroChildProcess"
| eval SuspicionScore = 3

// Signal 2: Anomalous process creation burst from Outlook (proxy for mass-send behavior in EDR)
// CrowdStrike does not natively ingest O365 MailSend audit — use Falcon LogScale Connector for O365
// If O365 logs are forwarded to LogScale:
// #type = "o365" event.Operation = "Send"
// | groupBy([UserId, timebucket("1h", _time)], function=count(as=EmailsSent))
// | EmailsSent > 20
// | eval Signal = "HighVolumeInternalSend"
// | eval SuspicionScore = 2

// Signal 3: Network connection from Outlook to non-Microsoft external hosts post-process-spawn
| join(
    [
      #event_simpleName = "NetworkConnectIP4"
      | LocalAddressIP4 != "127.0.0.1"
      | not RemoteAddressIP4 = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)/
      | not RemotePort in [443, 80]
    ],
    field=[TargetProcessId],
    include=[RemoteAddressIP4, RemotePort, RemoteAddressIP4]
  )
| groupBy([ComputerName, UserName, FileName, Signal], function=count(as=EventCount))
| sort(EventCount, order=desc)

high severity high confidence

Data Sources

Falcon sensor telemetry — ProcessRollup2 events Falcon sensor telemetry — NetworkConnectIP4 events LogScale O365 Connector (optional, for HighVolumeInternalSend signal)

Required Tables

#event_simpleName=ProcessRollup2 #event_simpleName=NetworkConnectIP4 #type=o365 (optional — requires O365 log ingestion into LogScale)

False Positives

Outlook COM add-ins from enterprise vendors (Zoom, Salesforce, ServiceNow) frequently spawn rundll32.exe or powershell.exe as part of plugin initialization or update checks, generating false ProcessRollup2 matches.
Automated internal notification workflows where Outlook macros legitimately call cmd.exe or PowerShell to query internal APIs, generate ticket numbers, or populate document templates.
Security awareness phishing simulation platforms (KnowBe4, Proofpoint Security Awareness) that send internal test phishing emails may trigger the high-volume send signal from simulation accounts if not excluded by sender address pattern.

Last updated: 2026-04-20 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1534 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Internal Spearphishing

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Lateral Movement

Popular Detections