T1534 Splunk · SPL

Detect Internal Spearphishing in Splunk

Adversaries who have already compromised an account or system may abuse the trusted internal identity to send phishing messages to other users within the same organization. Because the message originates from a known colleague, recipients are far more likely to open attachments, click links, or provide credentials. Campaigns typically combine a compromised mailbox or chat account with a weaponized attachment, a credential-harvesting link, or a malicious macro-enabled document. Real-world actors include Gamaredon (Outlook VBA module auto-sending phishing to contacts), Kimsuky (stolen credentials reused for internal mail), Leviathan/APT40, and HEXANE. Detection surfaces include anomalous send volume or recipient patterns from an internal account, Outlook spawning suspicious child processes (macro execution), Microsoft Teams delivering external URLs or files, and mass-BCC or reply-all abuse patterns.

MITRE ATT&CK

Tactic
Lateral Movement
Technique
T1534 Internal Spearphishing
Canonical reference
https://attack.mitre.org/techniques/T1534/

SPL Detection Query

Splunk (SPL)
spl 
| union
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    ParentImage="*\\outlook.exe"
    (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe"
     OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\mshta.exe"
     OR Image="*\\rundll32.exe" OR Image="*\\regsvr32.exe" OR Image="*\\certutil.exe"
     OR Image="*\\curl.exe" OR Image="*\\wget.exe")
  | eval Signal="OutlookMacroChildProcess"
  | eval Actor=User
  | eval Detail=CommandLine
  | table _time, host, Actor, Signal, Image, Detail, ParentImage, ParentCommandLine
]
[
  search index=o365 sourcetype="o365:management:activity" Operation="Send"
  | eval SenderDomain=mvindex(split(UserId,"@"),1)
  | bucket _time span=1h
  | stats count as EmailsSent, dc(eval(if(isnotnull(ClientIP),ClientIP,""))) as UniqueRecipients
    by _time, UserId, SenderDomain
  | where EmailsSent > 20
  | eval Signal="HighVolumeInternalSend"
  | eval Actor=UserId
  | eval Detail=EmailsSent." emails in 1h"
  | table _time, Actor, Signal, Detail, EmailsSent, UniqueRecipients
]
[
  search index=o365 sourcetype="o365:management:activity"
    (RecordType="MicrosoftTeams" OR RecordType="14")
    (Operation="MessageCreatedHasLink" OR Operation="MessageCreatedHasAttachment" OR Operation="MessageUpdated")
  | eval MsgContent=coalesce(ChatName, MessageContent, ExtraProperties)
  | where match(MsgContent, "(?i)(https?://|\.(zip|exe|lnk|iso|vbs|js|hta|bat|ps1))")
  | where NOT match(MsgContent, "(?i)(microsoft\.com|sharepoint\.com|teams\.microsoft\.com|office\.com)")
  | eval Signal="TeamsSuspiciousLinkOrFile"
  | eval Actor=UserId
  | eval Detail=MsgContent
  | table _time, Actor, Signal, Detail, ClientIP
]
| eval SuspicionScore=case(
    Signal="OutlookMacroChildProcess", 3,
    Signal="HighVolumeInternalSend", 2,
    Signal="TeamsSuspiciousLinkOrFile", 2,
    true(), 1
  )
| sort - SuspicionScore, - _time
high severity medium confidence

Three-signal Splunk detection for internal spearphishing using Sysmon operational logs and O365 management activity. The first subsearch (Sysmon EventCode=1) detects Outlook spawning LOLBins indicating VBA macro execution — the method Gamaredon uses to auto-send phishing to an infected user's contacts. The second subsearch uses the o365:management:activity sourcetype to count emails sent per hour per user and flags accounts exceeding 20 sends, indicating automated or weaponized mailbox abuse. The third subsearch detects Microsoft Teams messages containing external URLs or executable file extensions, excluding known-safe Microsoft domains. All signals are unioned with a suspicion score for triage prioritization.

Data Sources

Process: Process CreationApplication Log: Office 365 Audit LogsSysmon Event ID 1Microsoft Teams Activity Logs

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operationalo365:management:activity

False Positives & Tuning

  • Bulk internal communications tools (HR systems, ticketing platforms) sending >20 emails/hour through a shared service account
  • Legitimate Outlook VBA macros used for business workflow automation (invoice generation, templated responses) that spawn wscript.exe or cmd.exe
  • Microsoft Teams integrations posting external links from approved bots such as GitHub, JIRA, PagerDuty, or ServiceNow connectors
  • IT automation accounts sending system notifications or patch management emails during maintenance windows
  • Finance or legal staff running legitimate mail-merge campaigns from Outlook using a macro-enabled template
Download portable Sigma rule (.yml)

Other platforms for T1534

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Outlook VBA Macro Auto-Send (Simulated Gamaredon Pattern)

    Expected signal: Sysmon Event ID 1: powershell.exe spawned with Outlook COM object instantiation. OfficeActivity O365 log: Operation=Send from the test account. If Outlook is running, Sysmon Event ID 10 (ProcessAccess) may show PowerShell accessing the Outlook process. Exchange/O365 message trace will record the outbound message.

  2. Test 2Write Malicious Macro to Outlook VbaProject.OTM

    Expected signal: Sysmon Event ID 11 (File Create): file creation event for the test artifact in %TEMP%. Sysmon Event ID 1: powershell.exe with path references to VbaProject.OTM. If Outlook is running and VbaProject.OTM is actually modified, Sysmon will log file modification events against the OTM path.

  3. Test 3Microsoft Teams Message with External Link (Simulated via Graph API)

    Expected signal: O365 OfficeActivity: RecordType=MicrosoftTeams, Operation=MessageCreatedHasLink, with the external URL in ExtraProperties. Azure AD sign-in log entry for the Graph API token use. Microsoft Defender for Cloud Apps (MCAS) may generate an alert for 'Suspicious inbox forwarding' or 'Unusual file share' depending on policy.

  4. Test 4Simulate Compromised Account Bulk Send via PowerShell Exchange Online

    Expected signal: O365 Unified Audit Log: multiple Send operations from [email protected] within a short window. Exchange message trace: batch of outbound messages with identical subject. Azure AD: interactive authentication event for the PowerShell connection. OfficeActivity table in Sentinel: Operation=Send entries for each recipient.

Last updated: 2026-04-20 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1534 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1566.001Spearphishing AttachmentT1566.002Spearphishing LinkT1078Valid AccountsT1656ImpersonationT1056.001KeyloggingT1114.001Local Email CollectionT1137.001Office Template MacrosT1204.002Malicious FileT1080Taint Shared ContentT1598.003Spearphishing Link

Same Tactic: Lateral Movement

Popular Detections