Detect Spearphishing via Service in Splunk
Adversaries may send spearphishing messages via third-party services such as LinkedIn, Facebook, WhatsApp, Telegram, Discord, and Microsoft Teams rather than enterprise email channels. These platforms carry less-strict security policies than enterprise email, enabling adversaries to bypass enterprise email security controls entirely. Threat actors build rapport with targets on social platforms — posing as job recruiters (FIN6, Lazarus Group on LinkedIn), fake vendors, or IT support personnel (Storm-1811 via Teams) — before delivering malicious files or links through personal webmail, file-sharing services, or the messaging platform directly. Notable campaigns include FIN6 using LinkedIn fake job lures to distribute the More_eggs backdoor, ToddyCat distributing the Ninja loader via Telegram ZIP archives, EXOTIC LILY weaponizing legitimate file-sharing service email notifications, Lazarus Group's Contagious Interview campaign using fake job offers on social media to deliver ClickFake/ClickFix payloads, and Storm-1811 impersonating IT support via Microsoft Teams vishing calls to deploy Black Basta ransomware. Detection is challenging because the delivery channel is external to the enterprise; this detection focuses on the post-delivery execution artifacts observable in endpoint telemetry.
MITRE ATT&CK
- Tactic
- Initial Access
- Technique
- T1566 Phishing
- Sub-technique
- T1566.003 Spearphishing via Service
- Canonical reference
- https://attack.mitre.org/techniques/T1566/003/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image_lower=lower(Image)
| eval ParentImage_lower=lower(ParentImage)
| eval CommandLine_lower=lower(CommandLine)
| eval ParentCommandLine_lower=lower(ParentCommandLine)
// Signal 1: Messaging client as parent process spawning suspicious children
| eval MessagingParent=if(
match(ParentImage_lower, "(\\\\teams\.exe|\\\\slack\.exe|\\\\discord\.exe|\\\\telegram\.exe|\\\\whatsapp\.exe)")
OR match(ParentImage_lower, "(\\\\microsoft\\\\teams\\\\|\\\\slack\\\\|\\\\discord\\\\|\\\\telegram desktop\\\\)"),
1, 0)
// Signal 2: Interpreter/LOLBin executing from Downloads or Desktop directory
| eval DownloadExecution=if(
match(Image_lower, "(\\\\downloads\\\\|\\\\desktop\\\\)")
OR (match(CommandLine_lower, "(\\\\downloads\\\\|\\\\desktop\\\\)")
AND match(Image_lower, "(\\\\cmd\.exe|\\\\powershell\.exe|\\\\pwsh\.exe|\\\\wscript\.exe|\\\\cscript\.exe|\\\\mshta\.exe|\\\\rundll32\.exe|\\\\regsvr32\.exe|\\\\certutil\.exe|\\\\msiexec\.exe)")),
1, 0)
// Signal 3: Downloads-resident binary spawning interpreters (two-stage chain)
| eval DownloadSpawnChain=if(
match(ParentImage_lower, "(\\\\downloads\\\\|\\\\desktop\\\\)")
AND match(Image_lower, "(\\\\cmd\.exe|\\\\powershell\.exe|\\\\pwsh\.exe|\\\\wscript\.exe|\\\\cscript\.exe|\\\\mshta\.exe|\\\\rundll32\.exe)"),
1, 0)
// Suspicious child process type indicator
| eval SuspiciousChild=if(
match(Image_lower, "(\\\\cmd\.exe|\\\\powershell\.exe|\\\\pwsh\.exe|\\\\wscript\.exe|\\\\cscript\.exe|\\\\mshta\.exe|\\\\rundll32\.exe|\\\\regsvr32\.exe|\\\\certutil\.exe|\\\\msiexec\.exe|\\\\wmic\.exe|\\\\bitsadmin\.exe)"),
1, 0)
| where (MessagingParent=1 AND SuspiciousChild=1) OR DownloadExecution=1 OR DownloadSpawnChain=1
| eval Signal=case(
MessagingParent=1 AND SuspiciousChild=1, "MessagingClientSpawn",
DownloadSpawnChain=1, "DownloadedBinarySpawnedInterpreter",
DownloadExecution=1, "DownloadDirectoryExecution",
true(), "Unknown")
| eval RiskScore=MessagingParent + DownloadExecution + DownloadSpawnChain + SuspiciousChild
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, Signal, RiskScore
| sort - _timeDetects post-delivery spearphishing via service execution using Sysmon Event ID 1 (Process Create). Three eval-based signals assess: (1) collaboration platform desktop clients (Teams, Slack, Discord, Telegram) appearing as ParentImage for command interpreters or LOLBins — targeting Storm-1811 and ToddyCat delivery patterns; (2) interpreter or LOLBin images with paths containing Downloads or Desktop directories, or command lines referencing those paths; (3) parent processes residing in Downloads or Desktop directories spawning scripting engines. A composite RiskScore field assists analyst prioritization — scores of 2+ warrant immediate triage. All comparisons use lowercase normalization via eval for path-variant resilience.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate software packages installed from the Downloads directory, especially corporate-mandated tools distributed by IT teams via Teams or Slack file sharing
- Automated deployment pipelines or CI/CD runners that legitimately use Slack or Teams integrations to trigger system-level commands on developer workstations
- End users running downloaded scripts for self-service IT tasks that are part of approved SOPs distributed via helpdesk Teams channels
- Developers running downloaded build tools, compilers, or deployment scripts from their Downloads directory as part of normal development workflows
- Discord community tools (bots, utilities, moderation tools) that users download and execute from their Downloads directory for gaming or development communities
Other platforms for T1566.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Social Media File Delivery — Script Execution from Downloads Directory
Expected signal: Sysmon Event ID 11: FileCreate for df00tech-job-offer.bat in \Downloads\ by powershell.exe. Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing '\Downloads\df00tech-job-offer.bat' and ParentImage=powershell.exe. DeviceProcessEvents: FileName=cmd.exe, ProcessCommandLine containing Downloads path. DeviceFileEvents: .bat file creation in Downloads directory.
- Test 2Zone.Identifier ADS Stamp with Social Media Referrer (Forensic Artifact Simulation)
Expected signal: Sysmon Event ID 11: FileCreate for df00tech-interview-task.bat in \Downloads\ by powershell.exe. Sysmon Event ID 15 (FileCreateStreamHash): captures the Zone.Identifier ADS content including ZoneId=3, ReferrerUrl=linkedin.com, HostUrl=discordapp.com — exactly the artifact investigators use to confirm social media delivery origin. DeviceFileEvents: FileName=df00tech-interview-task.bat with ActionType=FileCreated.
- Test 3ISO File Download Simulation — Mark-of-the-Web Bypass Vector
Expected signal: Sysmon Event ID 11: FileCreate for interview-materials-2026.iso in \Downloads\ with Image=powershell.exe. DeviceFileEvents: FileName=interview-materials-2026.iso, FolderPath containing \Downloads\, ActionType=FileCreated, InitiatingProcessFileName=powershell.exe. The filename pattern ('interview-materials') is consistent with real Lazarus/Contagious Interview lure naming conventions.
- Test 4Messaging Client Process Spawn Simulation (Teams-Style Vishing Pattern)
Expected signal: Sysmon Event ID 1: Process Create with ParentImage or Image path containing '\Microsoft\Teams\Teams.exe' spawning a child process. DeviceProcessEvents: InitiatingProcessFolderPath containing \Microsoft\Teams\ or InitiatingProcessFileName matching Teams.exe. The spawned process's parent image resolves to the fake Teams.exe copy, triggering the MessagingPaths-based detection.
References (10)
- https://attack.mitre.org/techniques/T1566/003/
- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misuse-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
- https://www.kaspersky.com/about/press-releases/2022_toddycat-is-targeting-exchange-servers-across-europe-and-asia
- https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-to-conti/
- https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-new-developments/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/microsoftteams/teams-security-guide
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.003/T1566.003.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://www.secureworks.com/research/threat-profiles/bronze-highland
Unlock Pro Content
Get the full detection package for T1566.003 including response playbook, investigation guide, and atomic red team tests.