Detect Spearphishing via Service in Microsoft Sentinel
Adversaries may send spearphishing messages via third-party services such as LinkedIn, Facebook, WhatsApp, Telegram, Discord, and Microsoft Teams rather than enterprise email channels. These platforms carry less-strict security policies than enterprise email, enabling adversaries to bypass enterprise email security controls entirely. Threat actors build rapport with targets on social platforms — posing as job recruiters (FIN6, Lazarus Group on LinkedIn), fake vendors, or IT support personnel (Storm-1811 via Teams) — before delivering malicious files or links through personal webmail, file-sharing services, or the messaging platform directly. Notable campaigns include FIN6 using LinkedIn fake job lures to distribute the More_eggs backdoor, ToddyCat distributing the Ninja loader via Telegram ZIP archives, EXOTIC LILY weaponizing legitimate file-sharing service email notifications, Lazarus Group's Contagious Interview campaign using fake job offers on social media to deliver ClickFake/ClickFix payloads, and Storm-1811 impersonating IT support via Microsoft Teams vishing calls to deploy Black Basta ransomware. Detection is challenging because the delivery channel is external to the enterprise; this detection focuses on the post-delivery execution artifacts observable in endpoint telemetry.
MITRE ATT&CK
- Tactic
- Initial Access
- Technique
- T1566 Phishing
- Sub-technique
- T1566.003 Spearphishing via Service
- Canonical reference
- https://attack.mitre.org/techniques/T1566/003/
KQL Detection Query
// T1566.003 — Spearphishing via Service
// Social media delivery occurs outside enterprise visibility. This query detects two
// high-confidence post-delivery execution signals observable in endpoint telemetry:
// Signal 1: Messaging/collaboration apps directly spawning command interpreters or LOLBins
// Signal 2: Scripts or interpreters executing from user Download/Desktop directories
let SuspiciousChildProcs = dynamic([
"cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
"msiexec.exe", "wmic.exe", "bitsadmin.exe", "curl.exe", "wget.exe"
]);
let MessagingClients = dynamic([
"Teams.exe", "Slack.exe", "Discord.exe", "Telegram.exe", "WhatsApp.exe",
"update.exe" // Slack/Discord updater sometimes used as parent
]);
let MessagingPaths = dynamic([
"\\Microsoft\\Teams\\", "\\Slack\\", "\\Discord\\",
"\\Telegram Desktop\\", "\\WhatsApp\\"
]);
let DownloadPaths = dynamic(["\\Downloads\\", "\\Desktop\\"]);
// Signal 1: Messaging desktop client spawning suspicious child processes
// Covers Storm-1811 Teams vishing, ToddyCat Telegram delivery
let MessagingSpawn = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (MessagingClients)
or InitiatingProcessFolderPath has_any (MessagingPaths)
| where FileName in~ (SuspiciousChildProcs)
| extend Signal = "MessagingClientSpawn"
| extend SignalDetail = strcat(InitiatingProcessFileName, " spawned ", FileName);
// Signal 2: Scripting engines or interpreters executing directly from Download/Desktop paths
// Covers files delivered via browser after social media link-click
let DownloadExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (DownloadPaths)
or (ProcessCommandLine has_any (DownloadPaths)
and FileName in~ (SuspiciousChildProcs))
| where FileName in~ (SuspiciousChildProcs)
or FolderPath has_any (DownloadPaths)
| extend Signal = "DownloadDirectoryExecution"
| extend SignalDetail = strcat(FileName, " executed from ", FolderPath);
// Signal 3 (correlated): Any executable in Downloads that spawns a child interpreter
let DownloadSpawnChain = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFolderPath has_any (DownloadPaths)
| where FileName in~ (SuspiciousChildProcs)
| extend Signal = "DownloadedBinarySpawnedInterpreter"
| extend SignalDetail = strcat(InitiatingProcessFileName, " (from Downloads) spawned ", FileName);
// Combine all signals
union MessagingSpawn, DownloadExecution, DownloadSpawnChain
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessFolderPath, Signal, SignalDetail
| sort by Timestamp descDetects post-delivery execution artifacts from spearphishing via service attacks using Microsoft Defender for Endpoint DeviceProcessEvents. Three signals are evaluated: (1) collaboration and messaging desktop clients (Teams, Slack, Discord, Telegram) spawning command interpreters or Living-Off-The-Land binaries — a high-fidelity indicator associated with Storm-1811/Black Basta Teams vishing and ToddyCat Telegram delivery; (2) scripting engines and interpreters executing directly from user Download or Desktop directories — the standard landing zone for files received via social media, file-sharing links, or personal webmail; (3) executables located in Download directories that subsequently spawn command interpreters, indicating a two-stage execution chain common in social media-delivered droppers. Since the delivery channel (social media) is external to enterprise monitoring, detection focuses exclusively on the execution phase.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software downloaded from vendor websites and installed directly from the Downloads folder — common for one-off installs of approved tools (Zoom, VPN clients, browser installers)
- IT teams distributing deployment scripts or configuration tools via Microsoft Teams file sharing as part of approved endpoint management or onboarding workflows
- Developers who routinely download and execute build artifacts, deployment scripts, or tools from GitHub releases directly from their Downloads directory
- Corporate Discord or Slack bots and integrations that legitimately invoke system commands or scripts as part of approved DevOps or IT automation workflows
- HR or security onboarding processes where employees are instructed to download and run onboarding packages or compliance agents shared via collaboration platforms
Other platforms for T1566.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Social Media File Delivery — Script Execution from Downloads Directory
Expected signal: Sysmon Event ID 11: FileCreate for df00tech-job-offer.bat in \Downloads\ by powershell.exe. Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing '\Downloads\df00tech-job-offer.bat' and ParentImage=powershell.exe. DeviceProcessEvents: FileName=cmd.exe, ProcessCommandLine containing Downloads path. DeviceFileEvents: .bat file creation in Downloads directory.
- Test 2Zone.Identifier ADS Stamp with Social Media Referrer (Forensic Artifact Simulation)
Expected signal: Sysmon Event ID 11: FileCreate for df00tech-interview-task.bat in \Downloads\ by powershell.exe. Sysmon Event ID 15 (FileCreateStreamHash): captures the Zone.Identifier ADS content including ZoneId=3, ReferrerUrl=linkedin.com, HostUrl=discordapp.com — exactly the artifact investigators use to confirm social media delivery origin. DeviceFileEvents: FileName=df00tech-interview-task.bat with ActionType=FileCreated.
- Test 3ISO File Download Simulation — Mark-of-the-Web Bypass Vector
Expected signal: Sysmon Event ID 11: FileCreate for interview-materials-2026.iso in \Downloads\ with Image=powershell.exe. DeviceFileEvents: FileName=interview-materials-2026.iso, FolderPath containing \Downloads\, ActionType=FileCreated, InitiatingProcessFileName=powershell.exe. The filename pattern ('interview-materials') is consistent with real Lazarus/Contagious Interview lure naming conventions.
- Test 4Messaging Client Process Spawn Simulation (Teams-Style Vishing Pattern)
Expected signal: Sysmon Event ID 1: Process Create with ParentImage or Image path containing '\Microsoft\Teams\Teams.exe' spawning a child process. DeviceProcessEvents: InitiatingProcessFolderPath containing \Microsoft\Teams\ or InitiatingProcessFileName matching Teams.exe. The spawned process's parent image resolves to the fake Teams.exe copy, triggering the MessagingPaths-based detection.
References (10)
- https://attack.mitre.org/techniques/T1566/003/
- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misuse-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
- https://www.kaspersky.com/about/press-releases/2022_toddycat-is-targeting-exchange-servers-across-europe-and-asia
- https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-to-conti/
- https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-new-developments/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/microsoftteams/teams-security-guide
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.003/T1566.003.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://www.secureworks.com/research/threat-profiles/bronze-highland
Unlock Pro Content
Get the full detection package for T1566.003 including response playbook, investigation guide, and atomic red team tests.