T1566 Phishing Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousExtensions = dynamic([
  ".exe", ".dll", ".bat", ".cmd", ".ps1", ".vbs", ".js", ".hta", ".wsf",
  ".scr", ".pif", ".lnk", ".iso", ".img", ".cab", ".docm", ".xlsm", ".pptm", ".jar"
]);
let SuspiciousSubjectTerms = dynamic([
  "invoice", "payment", "urgent", "verify", "suspended", "confirm",
  "unusual activity", "password reset", "credentials", "wire transfer",
  "action required", "shared with you", "security alert", "your account"
]);
// Signal 1: Inbound email with phishing or malware verdict from Microsoft Defender for Office 365
let EmailThreatEvents =
    EmailEvents
    | where Timestamp > ago(24h)
    | where EmailDirection == "Inbound"
    | where ThreatTypes has_any ("Phish", "Malware") or (DeliveryAction == "Blocked" and ConfidenceLevel == "High")
    | extend AuthJson = parse_json(AuthenticationDetails)
    | extend SPFResult = tostring(AuthJson.SPF)
    | extend DKIMResult = tostring(AuthJson.DKIM)
    | extend DMARCResult = tostring(AuthJson.DMARC)
    | extend AuthFailed = (SPFResult =~ "Fail" or DKIMResult =~ "Fail" or DMARCResult =~ "Fail")
    | extend SuspiciousSubject = Subject has_any (SuspiciousSubjectTerms)
    | project Timestamp, NetworkMessageId, SenderFromAddress, SenderFromDomain,
             SenderIPv4, RecipientEmailAddress, Subject, ThreatTypes, ConfidenceLevel,
             DeliveryAction, DeliveryLocation, SuspiciousSubject,
             AuthFailed, SPFResult, DKIMResult, DMARCResult;
// Signal 2: Attachment metadata — suspicious file extensions or malware family hits
let AttachmentSignals =
    EmailAttachmentInfo
    | where Timestamp > ago(24h)
    | where FileName has_any (SuspiciousExtensions)
        or isnotempty(MalwareFamily)
        or ThreatTypes has_any ("Phish", "Malware")
    | summarize
        SuspiciousFiles = make_set(FileName, 10),
        MalwareFamilies = make_set(MalwareFamily, 5),
        AttachmentHashes = make_set(SHA256, 10)
      by NetworkMessageId;
// Signal 3: URLs extracted from email body — collect domains for threat intel correlation
let UrlSignals =
    EmailUrlInfo
    | where Timestamp > ago(24h)
    | summarize UrlCount = count(), LinkedDomains = make_set(UrlDomain, 20) by NetworkMessageId;
// Combine all signals and score
EmailThreatEvents
| join kind=leftouter AttachmentSignals on NetworkMessageId
| join kind=leftouter UrlSignals on NetworkMessageId
| extend HasMaliciousAttachment = isnotempty(SuspiciousFiles)
| extend ThreatScore =
    toint(ThreatTypes has "Phish") * 3 +
    toint(ThreatTypes has "Malware") * 3 +
    toint(HasMaliciousAttachment) * 2 +
    toint(AuthFailed) +
    toint(SuspiciousSubject)
| where ThreatScore > 0
| project Timestamp, SenderFromAddress, SenderFromDomain, SenderIPv4,
         RecipientEmailAddress, Subject, ThreatTypes, ConfidenceLevel,
         DeliveryAction, DeliveryLocation,
         SuspiciousFiles, MalwareFamilies, AttachmentHashes,
         UrlCount, LinkedDomains,
         SPFResult, DKIMResult, DMARCResult, AuthFailed,
         SuspiciousSubject, ThreatScore, NetworkMessageId
| sort by ThreatScore desc, Timestamp desc

high severity high confidence

Data Sources

Application Log: Application Log Content Network Traffic: Network Traffic Content Microsoft Defender for Office 365 Microsoft 365 Defender Advanced Hunting

Required Tables

EmailEvents EmailAttachmentInfo EmailUrlInfo

False Positives

Automated marketing and newsletter platforms (Mailchimp, Constant Contact, HubSpot) that send bulk email from shared infrastructure may trigger SPF/DKIM mismatches if not properly configured
Internal security awareness phishing simulation platforms (KnowBe4, Proofpoint Security Awareness, Cofense) deliberately send fake phishing emails and should be allowlisted by sender domain
Vendors or partners sending invoices or payment requests from cloud document-sharing services (DocuSign, Adobe Sign, Dropbox) may match subject-line keywords while being fully legitimate
Email delivery failure notifications (NDRs, mailer-daemon bounces) forwarded through multiple hops may fail DMARC alignment without being malicious
Internal IT helpdesk emails requesting credential resets or account verification may match SuspiciousSubjectTerms

Splunk

spl

index=o365 sourcetype="o365:management:activity" Workload=ThreatIntelligence Operation=TIMailData
| spath output=Verdict path=Verdict
| spath output=P1Sender path=P1Sender
| spath output=P2Sender path=P2Sender
| spath output=SenderIp path=SenderIp
| spath output=Subject path=Subject
| spath output=Recipients path=Recipients
| spath output=DeliveryAction path=Delivery.DeliveryAction
| spath output=DeliveryLocation path=Delivery.DeliveryLocation
| spath output=AttachmentFiles path=AttachmentData{}.FileName
| spath output=AttachmentVerdicts path=AttachmentData{}.FileVerdict
| spath output=Urls path=UrlData{}.Url
| where Verdict IN ("Phish", "Malware", "MaliciousUrl", "HighConfidencePhish")
| eval SuspiciousSubject=if(
    match(lower(Subject), "(invoice|payment|urgent|verify|suspended|confirm|password reset|credentials|wire transfer|action required|unusual activity|security alert|shared with you)"),
    1, 0
  )
| eval HasSuspiciousAttachment=if(isnotnull(AttachmentFiles) AND AttachmentFiles!="", 1, 0)
| eval ThreatScore=case(
    Verdict="HighConfidencePhish" OR Verdict="Malware", 3,
    Verdict="Phish" OR Verdict="MaliciousUrl", 2,
    true(), 1
  ) + SuspiciousSubject + HasSuspiciousAttachment
| eval AttachmentList=mvjoin(AttachmentFiles, " | ")
| eval UrlList=mvjoin(Urls, " | ")
| eval Severity=case(
    ThreatScore >= 4, "Critical",
    ThreatScore == 3, "High",
    ThreatScore == 2, "Medium",
    true(), "Low"
  )
| table _time, P1Sender, P2Sender, SenderIp, Recipients, Subject, Verdict,
        DeliveryAction, DeliveryLocation, AttachmentList, AttachmentVerdicts,
        UrlList, SuspiciousSubject, HasSuspiciousAttachment, ThreatScore, Severity
| sort - ThreatScore, - _time

high severity high confidence

Data Sources

Application Log: Application Log Content Microsoft Office 365 Management Activity API Microsoft Defender for Office 365 ThreatIntelligence Workload

Required Sourcetypes

o365:management:activity

False Positives

Security awareness phishing simulation platforms (KnowBe4, Cofense, Proofpoint) send deliberate phishing test emails that Defender for Office 365 may classify as Phish
Email forwarding configurations from external mail systems may cause DMARC alignment failures on otherwise legitimate messages
Mass marketing emails from vendors using shared sending infrastructure may occasionally be classified as Spam or Phish due to sending reputation
Mislabeled internal security communications using urgent language may match subject-line keyword patterns

Elastic Security (EQL)

eql

any where event.dataset == "o365.audit" and
  event.category == "email" and
  (
    (event.action : ("TIMailData","EmailReceived") and
     (email.attachments.file.extension : ("exe","dll","bat","cmd","ps1","vbs","js","hta","wsf","scr","pif","iso","img","lnk","docm","xlsm","jar") or
      email.subject : ("*invoice*","*payment*","*urgent*","*verify*","*suspended*","*confirm*","*notice*"))) or
    (event.action : ("TIUrlClick") and
     event.outcome : "blocked")
  )

high severity high confidence

Data Sources

Microsoft 365 Email Events via Elastic O365 integration

Required Tables

logs-o365.audit-*

False Positives

Automated marketing and newsletter platforms (Mailchimp, Constant Contact, HubSpot) that send bulk email from shared infrastructure may trigger SPF/DKIM mismatches if not properly configured
Internal security awareness phishing simulation platforms (KnowBe4, Proofpoint Security Awareness, Cofense) deliberately send fake phishing emails and should be allowlisted by sender domain
Vendors or partners sending invoices or payment requests from cloud document-sharing services (DocuSign, Adobe Sign, Dropbox) may match subject-line keywords while being fully legitimate
Email delivery failure notifications (NDRs, mailer-daemon bounces) forwarded through multiple hops may fail DMARC alignment without being malicious
Internal IT helpdesk emails requesting credential resets or account verification may match SuspiciousSubjectTerms

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource,
  "SenderFromAddress" as Sender, "RecipientEmailAddress" as Recipient,
  "Subject" as Subject, "FileType" as AttachmentType,
  CASE WHEN "FileType" ILIKE ANY ('%.exe%','%.dll%','%.ps1%','%.vbs%','%.js%','%.hta%','%.iso%') THEN 10
       WHEN LOWER("Subject") LIKE ANY ('%invoice%','%payment%','%urgent%','%verify%','%credential%') THEN 8
       ELSE 5 END as RiskScore
FROM events
WHERE category = 'email'
  AND (
    ("FileType" ILIKE ANY ('%.exe%','%.dll%','%.bat%','%.cmd%','%.ps1%','%.vbs%','%.js%',
                           '%.hta%','%.wsf%','%.scr%','%.pif%','%.iso%','%.img%','%.lnk%',
                           '%.docm%','%.xlsm%','%.jar%'))
    OR LOWER("Subject") LIKE ANY ('%invoice%','%payment%','%urgent%','%verify%','%suspended%',
                                    '%confirm%','%notice%','%credential%','%account%')
  )
ORDER BY RiskScore DESC, EventTime DESC

high severity high confidence

Data Sources

Email Gateway Logs via QRadar DSM Microsoft 365 Management Activity

Required Tables

events

False Positives

Automated marketing and newsletter platforms (Mailchimp, Constant Contact, HubSpot) that send bulk email from shared infrastructure may trigger SPF/DKIM mismatches if not properly configured
Internal security awareness phishing simulation platforms (KnowBe4, Proofpoint Security Awareness, Cofense) deliberately send fake phishing emails and should be allowlisted by sender domain
Vendors or partners sending invoices or payment requests from cloud document-sharing services (DocuSign, Adobe Sign, Dropbox) may match subject-line keywords while being fully legitimate
Email delivery failure notifications (NDRs, mailer-daemon bounces) forwarded through multiple hops may fail DMARC alignment without being malicious
Internal IT helpdesk emails requesting credential resets or account verification may match SuspiciousSubjectTerms

Sumo Logic CSE

sql

_sourceCategory=o365/email OR _sourceCategory=email/gateway
| json auto
| eval SubjectLower = toLower(coalesce(Subject,""))
| eval AttachLower = toLower(coalesce(FileType, AttachmentExtension, ""))
| eval is_suspicious_attach = if(AttachLower matches "\.(exe|dll|bat|cmd|ps1|vbs|js|hta|wsf|scr|pif|iso|img|lnk|docm|xlsm|jar)$", 1, 0)
| eval is_social_eng = if(SubjectLower matches "(invoice|payment|urgent|verify|suspended|confirm|breach|credential|password.reset|account.locked)", 1, 0)
| where is_suspicious_attach == 1 OR is_social_eng == 1
| eval risk = case(is_suspicious_attach == 1 AND is_social_eng == 1, "critical",
    is_suspicious_attach == 1, "high",
    is_social_eng == 1, "medium", true(), "low")
| table _time, SenderFromAddress, RecipientEmailAddress, Subject, FileType, is_suspicious_attach, is_social_eng, risk
| sort by _time desc

high severity high confidence

Data Sources

Office 365 Email Events via Sumo Logic Email Gateway via Sumo Logic

Required Tables

o365/email email/gateway

False Positives

Automated marketing and newsletter platforms (Mailchimp, Constant Contact, HubSpot) that send bulk email from shared infrastructure may trigger SPF/DKIM mismatches if not properly configured
Internal security awareness phishing simulation platforms (KnowBe4, Proofpoint Security Awareness, Cofense) deliberately send fake phishing emails and should be allowlisted by sender domain
Vendors or partners sending invoices or payment requests from cloud document-sharing services (DocuSign, Adobe Sign, Dropbox) may match subject-line keywords while being fully legitimate
Email delivery failure notifications (NDRs, mailer-daemon bounces) forwarded through multiple hops may fail DMARC alignment without being malicious
Internal IT helpdesk emails requesting credential resets or account verification may match SuspiciousSubjectTerms

Google Chronicle / SecOps

yaral

rule spearphishing_email_detection {
  meta:
    author = "Detection Engineering"
    description = "Detects spearphishing emails with suspicious attachments and subject lines (T1566)"
    severity = "HIGH"
    tactic = "TA0001"

  events:
    $e.metadata.event_type = "EMAIL_TRANSACTION"
    (
      re.regex($e.network.email.subject, `(?i)(invoice|payment|urgent|verify|suspended|confirm|breach|credential)`) nocase or
      re.regex($e.principal.file.mime_type, `(?i)(executable|script|powershell|batch|vbscript|hta|iso|lnk)`) nocase or
      re.regex($e.target.file.full_path, `(?i)\.(exe|dll|bat|ps1|vbs|js|hta|scr|lnk|docm|xlsm|iso|img)$`) nocase
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Email Events via Chronicle UDM

Required Tables

EMAIL_TRANSACTION

False Positives

Automated marketing and newsletter platforms (Mailchimp, Constant Contact, HubSpot) that send bulk email from shared infrastructure may trigger SPF/DKIM mismatches if not properly configured
Internal security awareness phishing simulation platforms (KnowBe4, Proofpoint Security Awareness, Cofense) deliberately send fake phishing emails and should be allowlisted by sender domain
Vendors or partners sending invoices or payment requests from cloud document-sharing services (DocuSign, Adobe Sign, Dropbox) may match subject-line keywords while being fully legitimate
Email delivery failure notifications (NDRs, mailer-daemon bounces) forwarded through multiple hops may fail DMARC alignment without being malicious
Internal IT helpdesk emails requesting credential resets or account verification may match SuspiciousSubjectTerms

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "EmailMessageReceivedV3"
| (AttachmentNames = /\.(exe|dll|bat|cmd|ps1|vbs|js|hta|wsf|scr|pif|iso|img|lnk|docm|xlsm|jar)$/i
   OR EmailSubject = /(invoice|payment|urgent|verify|suspended|confirm|breach|credential|password.reset)/i)
| eval risk = case {
    AttachmentNames = /\.(exe|dll|ps1|vbs|hta)$/i : "critical";
    AttachmentNames = /\.(bat|js|iso|lnk|docm)$/i : "high";
    EmailSubject = /(credential|password|breach)/i : "high";
    * : "medium"
  }
| table timestamp, RecipientEmail, SenderEmail, EmailSubject, AttachmentNames, risk
| sort by timestamp desc

high severity high confidence

Data Sources

CrowdStrike Falcon Identity Protection - Email

Required Tables

EmailMessageReceivedV3

False Positives

Automated marketing and newsletter platforms (Mailchimp, Constant Contact, HubSpot) that send bulk email from shared infrastructure may trigger SPF/DKIM mismatches if not properly configured
Internal security awareness phishing simulation platforms (KnowBe4, Proofpoint Security Awareness, Cofense) deliberately send fake phishing emails and should be allowlisted by sender domain
Vendors or partners sending invoices or payment requests from cloud document-sharing services (DocuSign, Adobe Sign, Dropbox) may match subject-line keywords while being fully legitimate
Email delivery failure notifications (NDRs, mailer-daemon bounces) forwarded through multiple hops may fail DMARC alignment without being malicious
Internal IT helpdesk emails requesting credential resets or account verification may match SuspiciousSubjectTerms

Phishing

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (4)

Same Tactic: Initial Access

Popular Detections