Detect Spearphishing Attachment in Microsoft Sentinel
Adversaries send targeted spearphishing emails with malicious attachments to gain initial access. Attachments may include Microsoft Office documents with macros, PDFs exploiting reader vulnerabilities, executables disguised with document icons, archive files (ZIP, ISO, IMG) containing LNK or script files, or RTF files exploiting equation editor vulnerabilities. Upon opening the attachment, the adversary's payload exploits a vulnerability or executes directly, typically spawning a child process from the email client or document handler. Common threat actors using this technique include APT28, Lazarus Group, FIN6, Cobalt Group, and Tropic Trooper.
MITRE ATT&CK
- Tactic
- Initial Access
- Technique
- T1566 Phishing
- Sub-technique
- T1566.001 Spearphishing Attachment
- Canonical reference
- https://attack.mitre.org/techniques/T1566/001/
KQL Detection Query
// Primary detection: Office applications spawning suspicious child processes
// This is the strongest post-attachment-open indicator available in endpoint telemetry
let OfficeApps = dynamic([
"winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
"mspub.exe", "msaccess.exe", "onenote.exe", "visio.exe", "eqnedt32.exe"
]);
let SuspiciousChildren = dynamic([
"cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe",
"curl.exe", "wget.exe", "msbuild.exe", "installutil.exe", "schtasks.exe",
"at.exe", "wmic.exe", "odbcconf.exe", "pcalua.exe", "cmstp.exe",
"msiexec.exe", "explorer.exe", "hh.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (OfficeApps)
| where FileName in~ (SuspiciousChildren)
| extend RiskLevel = case(
FileName in~ ("powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe", "cscript.exe"), "Critical",
FileName in~ ("certutil.exe", "bitsadmin.exe", "regsvr32.exe", "rundll32.exe", "odbcconf.exe", "cmstp.exe"), "High",
"Medium"
)
| extend SuspiciousNetwork = ProcessCommandLine has_any ("http://", "https://", "ftp://", "\\\\")
| extend EncodedPayload = ProcessCommandLine has_any ("-enc", "-EncodedCommand", "FromBase64String", "/e:jscript", "/e:vbscript")
| extend TempExecution = ProcessCommandLine has_any ("\\Temp\\", "\\AppData\\", "\\Downloads\\", "%temp%", "%appdata%")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
RiskLevel, SuspiciousNetwork, EncodedPayload, TempExecution
| sort by Timestamp desc
// Secondary query: Executables created by Office apps or launched from suspicious paths
// (run separately or union with primary)
// DeviceFileEvents
// | where Timestamp > ago(24h)
// | where InitiatingProcessFileName in~ (OfficeApps)
// | where ActionType == "FileCreated"
// | where FileName endswith ".exe" or FileName endswith ".dll" or FileName endswith ".ps1"
// or FileName endswith ".vbs" or FileName endswith ".js" or FileName endswith ".hta"
// | project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileNameDetects spearphishing attachment execution by monitoring Microsoft Office and email client applications spawning suspicious child processes — the primary post-exploitation signal when a malicious attachment is opened. Covers macro-enabled documents spawning cmd/PowerShell/scripting engines, RTF equation editor exploitation (eqnedt32.exe as parent), and document-triggered LOLBin execution. Enrichment fields flag network-calling command lines, encoded payloads, and execution from temporary/user-writable paths.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Excel macros used in finance/operations departments that call cmd.exe or PowerShell for data processing or report generation
- Microsoft Office add-ins and COM automation tools (Power BI, Tableau connector, SAP) that spawn child processes as part of normal integration workflows
- IT-managed document templates that use embedded VBA macros to launch approved internal tools or scripts from known paths
- PDF reader auto-open actions or form submission scripts in enterprise document management workflows
- Outlook meeting integrations (Zoom, Teams, Webex plugins) that spawn helper processes when calendar invites are processed
Other platforms for T1566.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Word Macro Spawning PowerShell (VBA Simulation)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe. If run from within a Word VBA macro (Tools > Macro > Run), the ParentImage will be winword.exe. Security Event ID 4688 (if command line auditing enabled) will capture the full command line.
- Test 2LNK File Execution Simulating ISO-Delivered Spearphishing
Expected signal: Sysmon Event ID 11: File Created for InvoiceDocument.lnk in %TEMP%. Sysmon Event ID 1: Process Create with Image=cmd.exe, ParentImage=explorer.exe (or the process that invoked Start-Process). The LNK file path in temp directory is a key indicator. Sysmon Event ID 1 will show target command line '/c whoami'.
- Test 3Excel Macro Dropping Script to Disk (Dropper Pattern)
Expected signal: Sysmon Event ID 11: File Created for update_helper.ps1 in %TEMP%. Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing '-ExecutionPolicy Bypass -File' and the temp path. DeviceFileEvents ActionType=FileCreated for the .ps1 file. The combination of file drop to temp + immediate execution is a high-fidelity pattern.
- Test 4Equation Editor Exploitation Simulation (CVE-2017-11882 Pattern)
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe. In real exploitation, ParentImage=eqnedt32.exe (C:\Program Files (x86)\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE launching eqnedt32.exe which spawns cmd.exe). Security Event ID 4688 with cmd.exe command line. For authentic testing, embed this command in an RTF file using a hex editor to trigger via eqnedt32.exe.
References (10)
- https://attack.mitre.org/techniques/T1566/001/
- https://www.microsoft.com/en-us/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/
- https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/
- https://unit42.paloaltonetworks.com/new-threat-actor-group-darkhydrus-targets-middle-east-government/
- https://www.secureworks.com/blog/darktortilla-malware-analysis
- https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-emailattachmentinfo-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md
- https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_office_spawn_susp_process.yml
Unlock Pro Content
Get the full detection package for T1566.001 including response playbook, investigation guide, and atomic red team tests.