T1566.002 IBM QRadar · QRadar

Detect Spearphishing Link in IBM QRadar

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Unlike spearphishing attachments, this variant embeds URLs in email body text, requiring the recipient to actively click or paste the link into a browser. Clicked links may deliver browser exploits, prompt downloads of malware or scripts, or harvest credentials via convincing login pages. Advanced variants include OAuth consent phishing (abusing OAuth 2.0 authorization flows to steal application access tokens), device code phishing (abusing OAuth 2.0 device authorization grant to obtain persistent tokens), and IDN homograph attacks where lookalike Unicode domains impersonate trusted brands. URLs may also be obfuscated via URL shorteners, integer-format IP addresses (e.g., hxxp://1157586937), or the @ symbol trick. Threat actors including Kimsuky, MuddyWater, BlackTech, LuminousMoth, DarkGate, and Squirrelwaffle have extensively leveraged this technique.

MITRE ATT&CK

Tactic
Initial Access
Technique
T1566 Phishing
Sub-technique
T1566.002 Spearphishing Link
Canonical reference
https://attack.mitre.org/techniques/T1566/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "sourceip",
  QIDNAME(qid) AS event_name,
  "ParentImage",
  "Image",
  "CommandLine",
  CASE
    WHEN LOWER("ParentImage") MATCHES '.*?(outlook\.exe|thunderbird\.exe|teams\.exe|msoutlook\.exe).*' THEN 'EmailClientDirectSpawn'
    WHEN LOWER("ParentImage") MATCHES '.*?mshta\.exe.*' THEN 'MshtaChainSpawn'
    WHEN LOWER("ParentImage") MATCHES '.*?(msedge\.exe|chrome\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe).*' THEN 'BrowserSpawnedSuspiciousProcess'
    ELSE 'Unknown'
  END AS detection_vector,
  CASE
    WHEN LOWER("ParentImage") MATCHES '.*?mshta\.exe.*' THEN 90
    WHEN LOWER("ParentImage") MATCHES '.*?(outlook\.exe|thunderbird\.exe|teams\.exe).*' THEN 85
    WHEN LOWER("ParentImage") MATCHES '.*?(msedge\.exe|chrome\.exe|firefox\.exe).*' AND LOWER("Image") MATCHES '.*?(powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe).*' THEN 75
    ELSE 60
  END AS risk_score
FROM events
WHERE
  LOGSOURCETYPEID = 12 /* Microsoft Windows Security Event Log */ OR LOGSOURCETYPEID = 13 /* Sysmon */
  AND (
    LOWER("ParentImage") MATCHES '.*?(outlook\.exe|thunderbird\.exe|teams\.exe|msoutlook\.exe|msedge\.exe|chrome\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|mshta\.exe).*'
  )
  AND (
    LOWER("Image") MATCHES '.*?(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|msiexec\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe).*'
  )
  AND NOT (
    LOWER("CommandLine") MATCHES '.*?(--type=renderer|--type=utility|--type=gpu-process|--extension-process|nativemessaginghost|microsoftedgeupdate|googleupdate|chromesetup).*'
  )
  AND DEVICETIME > NOW() - 86400000
ORDER BY risk_score DESC, devicetime DESC
high severity medium confidence

QRadar AQL query detecting spearphishing link follow-on execution by correlating process parent-child relationships from Sysmon or Windows Security logs. Identifies email clients, browsers, and mshta.exe spawning suspicious scripting or execution utilities, with risk scoring and false-positive exclusions for legitimate browser sub-processes.

Data Sources

IBM QRadar SIEMWindows Sysmon (Event ID 1)Windows Security Event Log (Event ID 4688)QRadar DSM for Microsoft Windows

Required Tables

events

False Positives & Tuning

  • Enterprise software deployment tools (SCCM, Intune) that use msiexec.exe or certutil.exe when triggered indirectly via browser-initiated installer links
  • Legitimate browser extension NativeMessagingHost processes that may share command-line patterns with the excluded strings but are slightly different
  • Automated email-to-script workflows in helpdesk environments where Outlook plugins legitimately spawn PowerShell for ticketing system integrations
Download portable Sigma rule (.yml)

Other platforms for T1566.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Email Client Spawning PowerShell via Link Handler

    Expected signal: Sysmon Event ID 1: Process Create — Image=powershell.exe, CommandLine contains '-WindowStyle Hidden' and 'Net.WebClient' and 'DownloadString'. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:8080 (connection refused). Security Event ID 4688 if command line auditing is enabled. PowerShell ScriptBlock Log Event ID 4104 with full script content.

  2. Test 2Browser Spawning MSHTA via HTA File Download

    Expected signal: Sysmon Event ID 1: Process Create — Image=mshta.exe, ParentImage=msedge.exe (or cmd.exe depending on Edge's open handler). Sysmon Event ID 11: File creation event for df00tech-test.hta in %TEMP%. Security Event ID 4688 for mshta.exe process creation with full command line including path to HTA file.

  3. Test 3OAuth Device Code Phishing Flow Initiation

    Expected signal: Sysmon Event ID 1: Process Create — Image=powershell.exe, CommandLine contains 'devicecode' and 'login.microsoftonline.com'. Sysmon Event ID 3: Network connection to login.microsoftonline.com on port 443. Sysmon Event ID 22: DNS query for login.microsoftonline.com. Azure AD sign-in logs: device code flow request entry visible in non-interactive sign-in logs for the test client_id (04b07795 is the Azure CLI client ID, a well-known public client).

  4. Test 4Malicious Link Payload Drop Simulation

    Expected signal: Sysmon Event ID 11: File creation in %TEMP% for Invoice_2026-03-12.pdf.cmd (double extension with .cmd as final extension). Sysmon Event ID 1: Process Create — Image=cmd.exe, CommandLine references the %TEMP% staged file path, ParentImage=powershell.exe. Security Event ID 4688 for both powershell.exe and cmd.exe. The temporal pattern of PowerShell network activity followed by file creation in staging dir followed by cmd.exe execution matches the hunting query for email client network + file drop correlation.

Last updated: 2026-04-21 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1566.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1566Phishing

Related Sub-techniques

T1566.001Spearphishing AttachmentT1566.003Spearphishing via ServiceT1566.004Spearphishing Voice

Related Techniques

T1566PhishingT1566.001Spearphishing AttachmentT1204.001Malicious LinkT1528Steal Application Access TokenT1550.001Application Access TokenT1189Drive-by CompromiseT1105Ingress Tool TransferT1059.005Visual BasicT1059.001PowerShellT1218.005MshtaT1027Obfuscated Files or Information

Same Tactic: Initial Access

Popular Detections