Phishing for Information
Detects adversary phishing-for-information campaigns targeting employees via email, spearphishing, and social engineering to harvest credentials, one-time passwords, and sensitive organizational data. Detection operates across three layers: (1) inbound email analysis identifying spoofed senders (From/MailFrom domain mismatch), credential-harvesting subject line keywords, and URLs pointing to non-trusted domains; (2) URL click telemetry correlating users navigating to phishing infrastructure after suspicious email delivery; and (3) post-phishing authentication anomalies such as sign-ins from new geographies within minutes of a suspicious email click. This technique is actively used by Scattered Spider for MFA/OTP capture, APT28 for credential collection against campaign targets, and Kimsuky for intelligence gathering against research institutions.
let PhishingKeywords = dynamic(["verify your account", "confirm your identity", "urgent action required", "account suspended", "click to verify", "validate credentials", "one-time password", "account will be locked", "update your information", "security notification", "unusual sign-in", "confirm your credentials"]);
let TrustedDomains = dynamic(["microsoft.com", "office.com", "office365.com", "microsoftonline.com", "google.com", "amazon.com", "github.com", "okta.com", "salesforce.com"]);
EmailEvents
| where TimeGenerated > ago(1d)
| where DeliveryAction !in ("Blocked")
| where EmailDirection == "Inbound"
| extend SpoofedSender = (SenderFromDomain != SenderMailFromDomain and isnotempty(SenderMailFromDomain))
| extend SuspiciousSubject = (Subject has_any (PhishingKeywords))
| join kind=leftouter (
EmailUrlInfo
| where TimeGenerated > ago(1d)
| where isnotempty(UrlDomain)
| where UrlDomain !has_any (TrustedDomains)
| summarize SuspiciousUrls = make_set(Url, 5), SuspiciousUrlDomains = make_set(UrlDomain, 5) by NetworkMessageId
) on NetworkMessageId
| where SpoofedSender or SuspiciousSubject or isnotempty(SuspiciousUrls)
| extend RiskScore = toint(SpoofedSender) * 50 + toint(SuspiciousSubject) * 30 + iff(isnotempty(SuspiciousUrls), 20, 0)
| where RiskScore >= 30
| project TimeGenerated, RecipientEmailAddress, SenderFromAddress, SenderMailFromAddress, Subject, DeliveryAction, NetworkMessageId, SpoofedSender, SuspiciousSubject, SuspiciousUrls, SuspiciousUrlDomains, RiskScore
| order by RiskScore desc, TimeGenerated descData Sources
Required Tables
False Positives
- Security awareness training platforms (KnowBe4, Proofpoint Security Awareness Training) sending simulated phishing emails with intentional urgency language — add their sending domains to an exclusion list
- Legitimate password reset and account verification emails from external SaaS vendors (Okta, Salesforce, ServiceNow) that use 'verify your account' or 'urgent action' language — add known-good vendor domains to TrustedDomains
- Marketing automation platforms (Mailchimp, HubSpot, Marketo) using display-name spoofing where MailFrom belongs to the ESP but From shows the client company brand — causing SpoofedSender false positives
- Bulk email systems with legitimate SPF misalignment for delivery routing purposes, where the technical envelope sender differs from the brand display From address
References (7)
- https://attack.mitre.org/techniques/T1598/
- https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/
- https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-technique/
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-threat-hunting
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table
- https://github.com/gophish/gophish
- https://github.com/kgretzky/evilginx2
Unlock Pro Content
Get the full detection package for T1598 including response playbook, investigation guide, and atomic red team tests.