Detect Internal Spearphishing in Microsoft Sentinel
Adversaries who have already compromised an account or system may abuse the trusted internal identity to send phishing messages to other users within the same organization. Because the message originates from a known colleague, recipients are far more likely to open attachments, click links, or provide credentials. Campaigns typically combine a compromised mailbox or chat account with a weaponized attachment, a credential-harvesting link, or a malicious macro-enabled document. Real-world actors include Gamaredon (Outlook VBA module auto-sending phishing to contacts), Kimsuky (stolen credentials reused for internal mail), Leviathan/APT40, and HEXANE. Detection surfaces include anomalous send volume or recipient patterns from an internal account, Outlook spawning suspicious child processes (macro execution), Microsoft Teams delivering external URLs or files, and mass-BCC or reply-all abuse patterns.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1534 Internal Spearphishing
- Canonical reference
- https://attack.mitre.org/techniques/T1534/
KQL Detection Query
// --- Signal 1: Outlook spawning suspicious child processes (VBA macro execution)
let OutlookMacroParents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "outlook.exe"
| where FileName in~ (
"cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
"bitsadmin.exe", "msiexec.exe", "wmic.exe", "curl.exe", "wget.exe"
)
| extend Signal = "OutlookMacroChildProcess"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, Signal;
// --- Signal 2: Anomalous internal email send volume (Office 365 OfficeActivity)
let HighVolumeSend = OfficeActivity
| where TimeGenerated > ago(24h)
| where Operation == "Send"
| where UserId !endswith "#EXT#"
| extend SenderDomain = tostring(split(UserId, "@")[1])
| summarize EmailsSent=count(), UniqueRecipients=dcount(tostring(Parameters)),
FirstSend=min(TimeGenerated), LastSend=max(TimeGenerated)
by UserId, SenderDomain, bin(TimeGenerated, 1h)
| where EmailsSent > 20
| extend Signal = "HighVolumeInternalSend"
| project TimeGenerated=FirstSend, UserId, SenderDomain, EmailsSent, UniqueRecipients, Signal;
// --- Signal 3: Teams messages containing suspicious external links
let TeamsSuspiciousLinks = OfficeActivity
| where TimeGenerated > ago(24h)
| where RecordType == "MicrosoftTeams"
| where Operation in ("MessageCreatedHasLink", "MessageUpdatedHasLink", "MessagesListed")
| where isnotempty(tostring(ExtraProperties))
| extend MsgContent = tostring(ExtraProperties)
| where MsgContent has_any (
"http://", "https://",
".zip", ".exe", ".lnk", ".iso", ".vbs", ".js", ".hta"
)
| where MsgContent !has "microsoft.com" and MsgContent !has "sharepoint.com"
and MsgContent !has "teams.microsoft.com"
| extend Signal = "TeamsSuspiciousLinkOrFile"
| project TimeGenerated, UserId, ClientIP, MsgContent, Signal;
// --- Union all signals
OutlookMacroParents
| union kind=outer (HighVolumeSend | project Timestamp=TimeGenerated, DeviceName="", AccountName=UserId,
FileName="", ProcessCommandLine=strcat("EmailsSent:", tostring(EmailsSent)),
InitiatingProcessFileName="OfficeActivity", InitiatingProcessCommandLine="", Signal)
| union kind=outer (TeamsSuspiciousLinks | project Timestamp=TimeGenerated, DeviceName="",
AccountName=UserId, FileName="", ProcessCommandLine=MsgContent,
InitiatingProcessFileName="TeamsActivity", InitiatingProcessCommandLine="", Signal)
| sort by Timestamp descThree-signal detection for internal spearphishing activity using Microsoft Defender for Endpoint and Microsoft 365 OfficeActivity logs. Signal 1 catches Gamaredon-style Outlook VBA macros by detecting Outlook spawning LOLBins or script interpreters. Signal 2 identifies anomalous send volume (>20 emails/hour from a single internal account) indicative of a compromised mailbox mass-sending phishing lures. Signal 3 detects Microsoft Teams messages containing external hyperlinks or executable file extensions from internal users — a documented technique used by Midnight Blizzard/Cozy Bear. All three signals are unioned and sorted by time for analyst review.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate marketing or HR mass-email campaigns using a shared internal account that sends newsletters or announcements to all staff
- Automated IT notification systems (monitoring alerts, ticketing systems, patch notifications) sending bulk emails from a service account
- Outlook VBA macros used by finance or legal teams for legitimate templated document workflows spawning cmd.exe or wscript.exe
- IT administrators sending automated onboarding emails via PowerShell scripts authenticated as their own account
- Microsoft Teams bots or connectors posting messages with external links as part of approved integrations (e.g., GitHub notifications, JIRA updates)
Other platforms for T1534
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Outlook VBA Macro Auto-Send (Simulated Gamaredon Pattern)
Expected signal: Sysmon Event ID 1: powershell.exe spawned with Outlook COM object instantiation. OfficeActivity O365 log: Operation=Send from the test account. If Outlook is running, Sysmon Event ID 10 (ProcessAccess) may show PowerShell accessing the Outlook process. Exchange/O365 message trace will record the outbound message.
- Test 2Write Malicious Macro to Outlook VbaProject.OTM
Expected signal: Sysmon Event ID 11 (File Create): file creation event for the test artifact in %TEMP%. Sysmon Event ID 1: powershell.exe with path references to VbaProject.OTM. If Outlook is running and VbaProject.OTM is actually modified, Sysmon will log file modification events against the OTM path.
- Test 3Microsoft Teams Message with External Link (Simulated via Graph API)
Expected signal: O365 OfficeActivity: RecordType=MicrosoftTeams, Operation=MessageCreatedHasLink, with the external URL in ExtraProperties. Azure AD sign-in log entry for the Graph API token use. Microsoft Defender for Cloud Apps (MCAS) may generate an alert for 'Suspicious inbox forwarding' or 'Unusual file share' depending on policy.
- Test 4Simulate Compromised Account Bulk Send via PowerShell Exchange Online
Expected signal: O365 Unified Audit Log: multiple Send operations from [email protected] within a short window. Exchange message trace: batch of outbound messages with identical subject. Azure AD: interactive authentication event for the PowerShell connection. OfficeActivity table in Sentinel: Operation=Send entries for each recipient.
References (9)
- https://attack.mitre.org/techniques/T1534/
- https://blog.trendmicro.com/phishing-starts-inside/
- https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/
- https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/
- https://www.cisa.gov/sites/default/files/publications/AA21-200A.pdf
- https://secureworks.com/research/lyceum-takes-center-stage-in-middle-east-campaign
- https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-search-tool
- https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-about
- https://learn.microsoft.com/en-us/microsoftteams/teams-security-guide
Unlock Pro Content
Get the full detection package for T1534 including response playbook, investigation guide, and atomic red team tests.