Detect Spearphishing via Service in IBM QRadar
Adversaries may send spearphishing messages via third-party services such as LinkedIn, Facebook, WhatsApp, Telegram, Discord, and Microsoft Teams rather than enterprise email channels. These platforms carry less-strict security policies than enterprise email, enabling adversaries to bypass enterprise email security controls entirely. Threat actors build rapport with targets on social platforms — posing as job recruiters (FIN6, Lazarus Group on LinkedIn), fake vendors, or IT support personnel (Storm-1811 via Teams) — before delivering malicious files or links through personal webmail, file-sharing services, or the messaging platform directly. Notable campaigns include FIN6 using LinkedIn fake job lures to distribute the More_eggs backdoor, ToddyCat distributing the Ninja loader via Telegram ZIP archives, EXOTIC LILY weaponizing legitimate file-sharing service email notifications, Lazarus Group's Contagious Interview campaign using fake job offers on social media to deliver ClickFake/ClickFix payloads, and Storm-1811 impersonating IT support via Microsoft Teams vishing calls to deploy Black Basta ransomware. Detection is challenging because the delivery channel is external to the enterprise; this detection focuses on the post-delivery execution artifacts observable in endpoint telemetry.
MITRE ATT&CK
- Tactic
- Initial Access
- Technique
- T1566 Phishing
- Sub-technique
- T1566.003 Spearphishing via Service
- Canonical reference
- https://attack.mitre.org/techniques/T1566/003/
QRadar Detection Query
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
logsourcename(logsourceid) as LogSource, username as User,
"ParentImage" as MessagingApp, "Image" as ChildProcess, "CommandLine" as CommandLine,
CASE WHEN "Image" ILIKE '%powershell.exe%' OR "Image" ILIKE '%mshta.exe%' THEN 10
WHEN "Image" ILIKE '%certutil.exe%' OR "Image" ILIKE '%bitsadmin.exe%' THEN 9
WHEN "Image" ILIKE '%cmd.exe%' THEN 8
ELSE 6 END as RiskScore
FROM events
WHERE eventid IN (1, 4688)
AND LOWER(coalesce("ParentImage","")) LIKE ANY
('%slack.exe%','%teams.exe%','%discord.exe%','%skype.exe%','%telegram.exe%',
'%signal.exe%','%zoom.exe%','%webex.exe%','%msteams.exe%')
AND LOWER("Image") LIKE ANY
('%cmd.exe%','%powershell.exe%','%pwsh.exe%','%wscript.exe%','%cscript.exe%',
'%mshta.exe%','%rundll32.exe%','%regsvr32.exe%','%certutil.exe%','%bitsadmin.exe%')
ORDER BY RiskScore DESC, EventTime DESCDetects spearphishing via messaging services by identifying suspicious child processes from collaboration apps in QRadar.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software downloaded from vendor websites and installed directly from the Downloads folder — common for one-off installs of approved tools (Zoom, VPN clients, browser installers)
- IT teams distributing deployment scripts or configuration tools via Microsoft Teams file sharing as part of approved endpoint management or onboarding workflows
- Developers who routinely download and execute build artifacts, deployment scripts, or tools from GitHub releases directly from their Downloads directory
- Corporate Discord or Slack bots and integrations that legitimately invoke system commands or scripts as part of approved DevOps or IT automation workflows
- HR or security onboarding processes where employees are instructed to download and run onboarding packages or compliance agents shared via collaboration platforms
Other platforms for T1566.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Social Media File Delivery — Script Execution from Downloads Directory
Expected signal: Sysmon Event ID 11: FileCreate for df00tech-job-offer.bat in \Downloads\ by powershell.exe. Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing '\Downloads\df00tech-job-offer.bat' and ParentImage=powershell.exe. DeviceProcessEvents: FileName=cmd.exe, ProcessCommandLine containing Downloads path. DeviceFileEvents: .bat file creation in Downloads directory.
- Test 2Zone.Identifier ADS Stamp with Social Media Referrer (Forensic Artifact Simulation)
Expected signal: Sysmon Event ID 11: FileCreate for df00tech-interview-task.bat in \Downloads\ by powershell.exe. Sysmon Event ID 15 (FileCreateStreamHash): captures the Zone.Identifier ADS content including ZoneId=3, ReferrerUrl=linkedin.com, HostUrl=discordapp.com — exactly the artifact investigators use to confirm social media delivery origin. DeviceFileEvents: FileName=df00tech-interview-task.bat with ActionType=FileCreated.
- Test 3ISO File Download Simulation — Mark-of-the-Web Bypass Vector
Expected signal: Sysmon Event ID 11: FileCreate for interview-materials-2026.iso in \Downloads\ with Image=powershell.exe. DeviceFileEvents: FileName=interview-materials-2026.iso, FolderPath containing \Downloads\, ActionType=FileCreated, InitiatingProcessFileName=powershell.exe. The filename pattern ('interview-materials') is consistent with real Lazarus/Contagious Interview lure naming conventions.
- Test 4Messaging Client Process Spawn Simulation (Teams-Style Vishing Pattern)
Expected signal: Sysmon Event ID 1: Process Create with ParentImage or Image path containing '\Microsoft\Teams\Teams.exe' spawning a child process. DeviceProcessEvents: InitiatingProcessFolderPath containing \Microsoft\Teams\ or InitiatingProcessFileName matching Teams.exe. The spawned process's parent image resolves to the fake Teams.exe copy, triggering the MessagingPaths-based detection.
References (10)
- https://attack.mitre.org/techniques/T1566/003/
- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misuse-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
- https://www.kaspersky.com/about/press-releases/2022_toddycat-is-targeting-exchange-servers-across-europe-and-asia
- https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-to-conti/
- https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-new-developments/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/microsoftteams/teams-security-guide
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.003/T1566.003.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://www.secureworks.com/research/threat-profiles/bronze-highland
Unlock Pro Content
Get the full detection package for T1566.003 including response playbook, investigation guide, and atomic red team tests.