T1534 IBM QRadar · QRadar

Detect Internal Spearphishing in IBM QRadar

Adversaries who have already compromised an account or system may abuse the trusted internal identity to send phishing messages to other users within the same organization. Because the message originates from a known colleague, recipients are far more likely to open attachments, click links, or provide credentials. Campaigns typically combine a compromised mailbox or chat account with a weaponized attachment, a credential-harvesting link, or a malicious macro-enabled document. Real-world actors include Gamaredon (Outlook VBA module auto-sending phishing to contacts), Kimsuky (stolen credentials reused for internal mail), Leviathan/APT40, and HEXANE. Detection surfaces include anomalous send volume or recipient patterns from an internal account, Outlook spawning suspicious child processes (macro execution), Microsoft Teams delivering external URLs or files, and mass-BCC or reply-all abuse patterns.

MITRE ATT&CK

Tactic
Lateral Movement
Technique
T1534 Internal Spearphishing
Canonical reference
https://attack.mitre.org/techniques/T1534/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
-- Signal 1: Outlook spawning suspicious child processes (Sysmon EventID 1)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  "ParentImage",
  "Image",
  "CommandLine",
  'OutlookMacroChildProcess' AS signal
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Windows%'
  AND QIDNAME(qid) ILIKE '%Process Create%'
  AND "ParentImage" ILIKE '%\\outlook.exe'
  AND (
    "Image" ILIKE '%\\cmd.exe' OR
    "Image" ILIKE '%\\powershell.exe' OR
    "Image" ILIKE '%\\pwsh.exe' OR
    "Image" ILIKE '%\\wscript.exe' OR
    "Image" ILIKE '%\\cscript.exe' OR
    "Image" ILIKE '%\\mshta.exe' OR
    "Image" ILIKE '%\\rundll32.exe' OR
    "Image" ILIKE '%\\regsvr32.exe' OR
    "Image" ILIKE '%\\certutil.exe' OR
    "Image" ILIKE '%\\bitsadmin.exe' OR
    "Image" ILIKE '%\\curl.exe' OR
    "Image" ILIKE '%\\wget.exe'
  )
  AND starttime > NOW() - 86400000

UNION

-- Signal 2: High-volume internal email send (O365 audit logs)
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS event_time,
  'O365-AuditLog' AS log_source,
  username,
  'O365-Send' AS "ParentImage",
  CONCAT(CAST(COUNT(*) AS VARCHAR), ' emails/hr') AS "Image",
  CONCAT('UniqueRecipients:', CAST(COUNT(DISTINCT destinationip) AS VARCHAR)) AS "CommandLine",
  'HighVolumeInternalSend' AS signal
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Office 365%'
  AND QIDNAME(qid) ILIKE '%Send%'
  AND username NOT ILIKE '%#EXT#%'
  AND starttime > NOW() - 86400000
GROUP BY
  username,
  DATEFORMAT(starttime, 'YYYY-MM-dd HH')
HAVING COUNT(*) > 20

ORDER BY event_time DESC
high severity medium confidence

AQL query detecting internal spearphishing via two correlated signals: Sysmon process creation events where outlook.exe spawns LOLBin child processes (indicating macro execution from a phishing email), and O365 audit log patterns showing internal accounts sending more than 20 emails per hour (indicating a compromised mailbox sending mass internal phishing). Results are unified and sorted by recency.

Data Sources

Windows Security/Sysmon events (via QRadar WinCollect or DSM)Microsoft Office 365 audit logs (via O365 DSM)QRadar Network Activity (flows) for supplemental context

Required Tables

events (QRadar normalized event store)flows (QRadar network flow store — supplemental)

False Positives & Tuning

  • Outlook COM add-ins (e.g., DocuSign, Zoom, Teams plugin) may legitimately cause outlook.exe to spawn rundll32.exe or msiexec.exe during updates or feature initialization.
  • HR or IT bulk notification campaigns (password reset notices, benefits enrollment, system maintenance alerts) sent from shared service accounts will exceed the 20-email threshold.
  • Legal or compliance teams sending mass disclosure or policy acknowledgment emails from internal accounts during regulatory events may appear as high-volume senders.
Download portable Sigma rule (.yml)

Other platforms for T1534

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Outlook VBA Macro Auto-Send (Simulated Gamaredon Pattern)

    Expected signal: Sysmon Event ID 1: powershell.exe spawned with Outlook COM object instantiation. OfficeActivity O365 log: Operation=Send from the test account. If Outlook is running, Sysmon Event ID 10 (ProcessAccess) may show PowerShell accessing the Outlook process. Exchange/O365 message trace will record the outbound message.

  2. Test 2Write Malicious Macro to Outlook VbaProject.OTM

    Expected signal: Sysmon Event ID 11 (File Create): file creation event for the test artifact in %TEMP%. Sysmon Event ID 1: powershell.exe with path references to VbaProject.OTM. If Outlook is running and VbaProject.OTM is actually modified, Sysmon will log file modification events against the OTM path.

  3. Test 3Microsoft Teams Message with External Link (Simulated via Graph API)

    Expected signal: O365 OfficeActivity: RecordType=MicrosoftTeams, Operation=MessageCreatedHasLink, with the external URL in ExtraProperties. Azure AD sign-in log entry for the Graph API token use. Microsoft Defender for Cloud Apps (MCAS) may generate an alert for 'Suspicious inbox forwarding' or 'Unusual file share' depending on policy.

  4. Test 4Simulate Compromised Account Bulk Send via PowerShell Exchange Online

    Expected signal: O365 Unified Audit Log: multiple Send operations from [email protected] within a short window. Exchange message trace: batch of outbound messages with identical subject. Azure AD: interactive authentication event for the PowerShell connection. OfficeActivity table in Sentinel: Operation=Send entries for each recipient.

Last updated: 2026-04-20 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1534 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1566.001Spearphishing AttachmentT1566.002Spearphishing LinkT1078Valid AccountsT1656ImpersonationT1056.001KeyloggingT1114.001Local Email CollectionT1137.001Office Template MacrosT1204.002Malicious FileT1080Taint Shared ContentT1598.003Spearphishing Link

Same Tactic: Lateral Movement

Popular Detections