Detect Phishing in Splunk
Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted (spearphishing) against a specific individual, company, or industry, or non-targeted such as mass malware spam campaigns. Adversaries send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems or steal credentials. Phishing may also be conducted via third-party services like social media platforms, via voice-based callback lures directing victims to call a phone number and then download malware or install remote management tools, or through thread hijacking by injecting malicious content into existing email conversations. Email spoofing, manipulation of authentication headers, and abuse of compromised legitimate accounts are common evasion techniques used to bypass automated security tooling and human suspicion alike.
MITRE ATT&CK
- Tactic
- Initial Access
- Technique
- T1566 Phishing
- Canonical reference
- https://attack.mitre.org/techniques/T1566/
SPL Detection Query
index=o365 sourcetype="o365:management:activity" Workload=ThreatIntelligence Operation=TIMailData
| spath output=Verdict path=Verdict
| spath output=P1Sender path=P1Sender
| spath output=P2Sender path=P2Sender
| spath output=SenderIp path=SenderIp
| spath output=Subject path=Subject
| spath output=Recipients path=Recipients
| spath output=DeliveryAction path=Delivery.DeliveryAction
| spath output=DeliveryLocation path=Delivery.DeliveryLocation
| spath output=AttachmentFiles path=AttachmentData{}.FileName
| spath output=AttachmentVerdicts path=AttachmentData{}.FileVerdict
| spath output=Urls path=UrlData{}.Url
| where Verdict IN ("Phish", "Malware", "MaliciousUrl", "HighConfidencePhish")
| eval SuspiciousSubject=if(
match(lower(Subject), "(invoice|payment|urgent|verify|suspended|confirm|password reset|credentials|wire transfer|action required|unusual activity|security alert|shared with you)"),
1, 0
)
| eval HasSuspiciousAttachment=if(isnotnull(AttachmentFiles) AND AttachmentFiles!="", 1, 0)
| eval ThreatScore=case(
Verdict="HighConfidencePhish" OR Verdict="Malware", 3,
Verdict="Phish" OR Verdict="MaliciousUrl", 2,
true(), 1
) + SuspiciousSubject + HasSuspiciousAttachment
| eval AttachmentList=mvjoin(AttachmentFiles, " | ")
| eval UrlList=mvjoin(Urls, " | ")
| eval Severity=case(
ThreatScore >= 4, "Critical",
ThreatScore == 3, "High",
ThreatScore == 2, "Medium",
true(), "Low"
)
| table _time, P1Sender, P2Sender, SenderIp, Recipients, Subject, Verdict,
DeliveryAction, DeliveryLocation, AttachmentList, AttachmentVerdicts,
UrlList, SuspiciousSubject, HasSuspiciousAttachment, ThreatScore, Severity
| sort - ThreatScore, - _timeDetects phishing email delivery events using the Microsoft Office 365 Management Activity API ingested via the Splunk Add-on for Microsoft Office 365. Targets the ThreatIntelligence workload and TIMailData operation, which is populated by Microsoft Defender for Office 365 when a phishing or malware verdict is assigned to an inbound message. Extracts attachment filenames, URL data, delivery action, and sender authentication details using SPL spath commands for nested JSON field extraction. Scores each event by verdict confidence, attachment presence, and subject-line keyword matches to enable priority-based triage.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Security awareness phishing simulation platforms (KnowBe4, Cofense, Proofpoint) send deliberate phishing test emails that Defender for Office 365 may classify as Phish
- Email forwarding configurations from external mail systems may cause DMARC alignment failures on otherwise legitimate messages
- Mass marketing emails from vendors using shared sending infrastructure may occasionally be classified as Spam or Phish due to sending reputation
- Mislabeled internal security communications using urgent language may match subject-line keyword patterns
Other platforms for T1566
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Phishing Email with Suspicious Attachment via PowerShell SMTP
Expected signal: EmailEvents table: Inbound email from spoofed sender domain with suspicious subject, DeliveryAction likely Junked or Blocked by Defender for Office 365. EmailAttachmentInfo: FileName='invoice_2026.pdf.ps1' with .ps1 extension flagged. O365 Management Activity: TIMailData event with Verdict='Phish' or 'Malware' in ThreatIntelligence workload. Exchange Admin Center Message Trace: full delivery path logged.
- Test 2Office Macro Execution Simulation — Word Spawning Command Shell
Expected signal: Sysmon Event ID 1 (Process Create): ParentImage=WINWORD.EXE, Image=cmd.exe, CommandLine='cmd.exe /c whoami > %TEMP%\phish_exec_test.txt'. Sysmon Event ID 11 (File Create): phish_exec_test.txt written to %TEMP%. Security Event ID 4688 (if command line auditing enabled): same parent-child relationship. Microsoft Defender may generate an alert for macro execution.
- Test 3Email Spoofing via DMARC-None Domain — Header From Mismatch
Expected signal: Email headers: Authentication-Results header will show DMARC=fail (due to From domain mismatch with envelope sender). Exchange Online: message trace showing delivery with DMARC fail result. O365 Management Activity: TIMailData or MessageDelivered event with authentication failure flags. Defender for Office 365: anti-spoofing intelligence may flag the mismatched From/Reply-To pattern.
- Test 4Callback Phishing Simulation — HTA File Dropper via Email Link
Expected signal: Sysmon Event ID 1: mshta.exe launched with HTA file path as argument. Sysmon Event ID 1 (child): cmd.exe spawned by mshta.exe with whoami command. Sysmon Event ID 11: callback_phish_test.txt created in %TEMP%. Security Event ID 4688: both mshta.exe and cmd.exe process creation events (if command line auditing enabled). Windows Defender may generate an alert for mshta.exe executing a locally-crafted HTA.
References (14)
- https://attack.mitre.org/techniques/T1566/
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection
- https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-emailevents-table
- https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-emailattachmentinfo-table
- https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-emailurlinfo-table
- https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#threatintelligence-complex-type
- https://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/
- https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/
- https://www.cisa.gov/uscert/ncas/alerts/aa23-025a
- https://www.proofpoint.com/us/threat-reference/email-spoofing
- https://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365
Unlock Pro Content
Get the full detection package for T1566 including response playbook, investigation guide, and atomic red team tests.