Detect Phishing in Elastic Security
Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted (spearphishing) against a specific individual, company, or industry, or non-targeted such as mass malware spam campaigns. Adversaries send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems or steal credentials. Phishing may also be conducted via third-party services like social media platforms, via voice-based callback lures directing victims to call a phone number and then download malware or install remote management tools, or through thread hijacking by injecting malicious content into existing email conversations. Email spoofing, manipulation of authentication headers, and abuse of compromised legitimate accounts are common evasion techniques used to bypass automated security tooling and human suspicion alike.
MITRE ATT&CK
- Tactic
- Initial Access
- Technique
- T1566 Phishing
- Canonical reference
- https://attack.mitre.org/techniques/T1566/
Elastic Detection Query
any where event.dataset == "o365.audit" and
event.category == "email" and
(
(event.action : ("TIMailData","EmailReceived") and
(email.attachments.file.extension : ("exe","dll","bat","cmd","ps1","vbs","js","hta","wsf","scr","pif","iso","img","lnk","docm","xlsm","jar") or
email.subject : ("*invoice*","*payment*","*urgent*","*verify*","*suspended*","*confirm*","*notice*"))) or
(event.action : ("TIUrlClick") and
event.outcome : "blocked")
)Detects spearphishing emails with suspicious attachments and social engineering subject lines using Microsoft 365 email telemetry.
Data Sources
Required Tables
False Positives & Tuning
- Automated marketing and newsletter platforms (Mailchimp, Constant Contact, HubSpot) that send bulk email from shared infrastructure may trigger SPF/DKIM mismatches if not properly configured
- Internal security awareness phishing simulation platforms (KnowBe4, Proofpoint Security Awareness, Cofense) deliberately send fake phishing emails and should be allowlisted by sender domain
- Vendors or partners sending invoices or payment requests from cloud document-sharing services (DocuSign, Adobe Sign, Dropbox) may match subject-line keywords while being fully legitimate
- Email delivery failure notifications (NDRs, mailer-daemon bounces) forwarded through multiple hops may fail DMARC alignment without being malicious
- Internal IT helpdesk emails requesting credential resets or account verification may match SuspiciousSubjectTerms
Other platforms for T1566
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Phishing Email with Suspicious Attachment via PowerShell SMTP
Expected signal: EmailEvents table: Inbound email from spoofed sender domain with suspicious subject, DeliveryAction likely Junked or Blocked by Defender for Office 365. EmailAttachmentInfo: FileName='invoice_2026.pdf.ps1' with .ps1 extension flagged. O365 Management Activity: TIMailData event with Verdict='Phish' or 'Malware' in ThreatIntelligence workload. Exchange Admin Center Message Trace: full delivery path logged.
- Test 2Office Macro Execution Simulation — Word Spawning Command Shell
Expected signal: Sysmon Event ID 1 (Process Create): ParentImage=WINWORD.EXE, Image=cmd.exe, CommandLine='cmd.exe /c whoami > %TEMP%\phish_exec_test.txt'. Sysmon Event ID 11 (File Create): phish_exec_test.txt written to %TEMP%. Security Event ID 4688 (if command line auditing enabled): same parent-child relationship. Microsoft Defender may generate an alert for macro execution.
- Test 3Email Spoofing via DMARC-None Domain — Header From Mismatch
Expected signal: Email headers: Authentication-Results header will show DMARC=fail (due to From domain mismatch with envelope sender). Exchange Online: message trace showing delivery with DMARC fail result. O365 Management Activity: TIMailData or MessageDelivered event with authentication failure flags. Defender for Office 365: anti-spoofing intelligence may flag the mismatched From/Reply-To pattern.
- Test 4Callback Phishing Simulation — HTA File Dropper via Email Link
Expected signal: Sysmon Event ID 1: mshta.exe launched with HTA file path as argument. Sysmon Event ID 1 (child): cmd.exe spawned by mshta.exe with whoami command. Sysmon Event ID 11: callback_phish_test.txt created in %TEMP%. Security Event ID 4688: both mshta.exe and cmd.exe process creation events (if command line auditing enabled). Windows Defender may generate an alert for mshta.exe executing a locally-crafted HTA.
References (14)
- https://attack.mitre.org/techniques/T1566/
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection
- https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-emailevents-table
- https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-emailattachmentinfo-table
- https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-emailurlinfo-table
- https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#threatintelligence-complex-type
- https://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/
- https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/
- https://www.cisa.gov/uscert/ncas/alerts/aa23-025a
- https://www.proofpoint.com/us/threat-reference/email-spoofing
- https://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365
Unlock Pro Content
Get the full detection package for T1566 including response playbook, investigation guide, and atomic red team tests.