Which SIEM platforms have a T1598 detection rule?

df00tech provides T1598 (Phishing for Information) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Phishing for Information (T1598)?

Detecting Phishing for Information requires the following data sources: Microsoft Defender for Office 365.

What severity and confidence is the T1598 detection?

The T1598 detection is rated high severity with medium confidence.

What are common false positives for T1598?

Common false positives for T1598 include: Security awareness training platforms (KnowBe4, Proofpoint Security Awareness Training) sending simulated phishing emails with intentional urgency language — add their sending domains to an exclusion list; Legitimate password reset and account verification emails from external SaaS vendors (Okta, Salesforce, ServiceNow) that use 'verify your account' or 'urgent action' language — add known-good vendor domains to TrustedDomains; Marketing automation platforms (Mailchimp, HubSpot, Marketo) using display-name spoofing where MailFrom belongs to the ESP but From shows the client company brand — causing SpoofedSender false positives.

T1598: Phishing for Information — Detection (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

let PhishingKeywords = dynamic(["verify your account", "confirm your identity", "urgent action required", "account suspended", "click to verify", "validate credentials", "one-time password", "account will be locked", "update your information", "security notification", "unusual sign-in", "confirm your credentials"]);
let TrustedDomains = dynamic(["microsoft.com", "office.com", "office365.com", "microsoftonline.com", "google.com", "amazon.com", "github.com", "okta.com", "salesforce.com"]);
EmailEvents
| where TimeGenerated > ago(1d)
| where DeliveryAction !in ("Blocked")
| where EmailDirection == "Inbound"
| extend SpoofedSender = (SenderFromDomain != SenderMailFromDomain and isnotempty(SenderMailFromDomain))
| extend SuspiciousSubject = (Subject has_any (PhishingKeywords))
| join kind=leftouter (
    EmailUrlInfo
    | where TimeGenerated > ago(1d)
    | where isnotempty(UrlDomain)
    | where UrlDomain !has_any (TrustedDomains)
    | summarize SuspiciousUrls = make_set(Url, 5), SuspiciousUrlDomains = make_set(UrlDomain, 5) by NetworkMessageId
) on NetworkMessageId
| where SpoofedSender or SuspiciousSubject or isnotempty(SuspiciousUrls)
| extend RiskScore = toint(SpoofedSender) * 50 + toint(SuspiciousSubject) * 30 + iff(isnotempty(SuspiciousUrls), 20, 0)
| where RiskScore >= 30
| project TimeGenerated, RecipientEmailAddress, SenderFromAddress, SenderMailFromAddress, Subject, DeliveryAction, NetworkMessageId, SpoofedSender, SuspiciousSubject, SuspiciousUrls, SuspiciousUrlDomains, RiskScore
| order by RiskScore desc, TimeGenerated desc

Detects inbound emails exhibiting phishing-for-information characteristics: spoofed sender addresses (From domain differs from MailFrom domain indicating SPF alignment failures or display-name spoofing), subject lines containing credential harvesting or social engineering keywords, and URLs pointing to domains not in the trusted baseline. Requires Microsoft Defender for Office 365 Plan 2 with Advanced Hunting enabled in the Microsoft 365 Defender portal.

high severity medium confidence

Data Sources

Microsoft Defender for Office 365

Required Tables

EmailEvents EmailUrlInfo

False Positives

Security awareness training platforms (KnowBe4, Proofpoint Security Awareness Training) sending simulated phishing emails with intentional urgency language — add their sending domains to an exclusion list
Legitimate password reset and account verification emails from external SaaS vendors (Okta, Salesforce, ServiceNow) that use 'verify your account' or 'urgent action' language — add known-good vendor domains to TrustedDomains
Marketing automation platforms (Mailchimp, HubSpot, Marketo) using display-name spoofing where MailFrom belongs to the ESP but From shows the client company brand — causing SpoofedSender false positives
Bulk email systems with legitimate SPF misalignment for delivery routing purposes, where the technical envelope sender differs from the brand display From address

Splunk

spl

index=* sourcetype="ms:o365:management:activity" Workload=Exchange
| search Operation IN ("MessageDelivered", "MessageReceived")
| rex field=_raw "\"Subject\":\"(?<EmailSubject>[^\"]+)\""
| rex field=_raw "\"SenderAddress\":\"(?<SenderAddress>[^\"]+)\""
| rex field=_raw "\"RecipientAddress\":\"(?<RecipientAddress>[^\"]+)\""
| eval SenderDomain=lower(mvindex(split(SenderAddress, "@"), 1))
| eval PhishingScore=0
| eval PhishingScore=PhishingScore + if(match(lower(EmailSubject), "verify|confirm.*identity|urgent.*action|account.*suspend|validate.*credential|one.time.password|account.*lock"), 30, 0)
| eval PhishingScore=PhishingScore + if(match(lower(EmailSubject), "security.*alert|unusual.*activity|sign.in.*attempt|password.*expir|update.*information"), 20, 0)
| eval PhishingScore=PhishingScore + if(match(lower(EmailSubject), "invoice|wire.*transfer|w-2|tax.*form|benefits.*enroll|direct.*deposit"), 25, 0)
| where PhishingScore >= 20
| stats count as MessageCount, values(EmailSubject) as Subjects, values(SenderAddress) as Senders, values(RecipientAddress) as Recipients, max(PhishingScore) as MaxScore by SenderDomain, span(_time, 1h)
| sort -MaxScore
| table _time, SenderDomain, Senders, Recipients, Subjects, MessageCount, MaxScore

Detects phishing-for-information email patterns in Office 365 management activity logs by scoring inbound messages against credential harvesting, social engineering, and business email compromise keyword patterns. High-score messages targeting multiple recipients within the same hour indicate active phishing campaigns. Requires the Splunk Add-on for Microsoft Office 365.

high severity medium confidence

Data Sources

Microsoft Office 365

Required Sourcetypes

ms:o365:management:activity

False Positives

IT security awareness training emails with intentional phishing simulation language from platforms like KnowBe4 or Cofense
Legitimate account security notifications from identity providers (Okta, Azure AD, Google Workspace) using urgency language for MFA enrollment or password expiration
HR and finance system notifications (payroll confirmations, benefits enrollment reminders, W-2 availability) matching BEC-themed keywords
Automated IT ticketing system notifications using action-required language for pending approvals or access requests

Elastic Security (EQL)

eql

// T1598 — Phishing for Information
any where event.dataset : "o365.audit"
  and event.action in ("New-InboxRule", "Set-InboxRule")
  and message : ("ForwardTo", "ForwardAsAttachmentTo", "RedirectTo")
  and not message : "*.onmicrosoft.com"

Elastic EQL detection for Phishing for Information (T1598). Translates the Microsoft Sentinel KQL logic to Elastic Common Schema (ECS) field mappings for use in Elastic SIEM. Targets the same behavioral indicators across process creation, network, and authentication event types.

high severity medium confidence

Data Sources

Network Traffic Firewall Logs

Required Tables

logs-network_traffic.* logs-endpoint.events.network-*

False Positives

Security awareness training platforms (KnowBe4, Proofpoint Security Awareness Training) sending simulated phishing emails with intentional urgency language — add their sending domains to an exclusion list
Legitimate password reset and account verification emails from external SaaS vendors (Okta, Salesforce, ServiceNow) that use 'verify your account' or 'urgent action' language — add known-good vendor domains to TrustedDomains
Marketing automation platforms (Mailchimp, HubSpot, Marketo) using display-name spoofing where MailFrom belongs to the ESP but From shows the client company brand — causing SpoofedSender false positives
Bulk email systems with legitimate SPF misalignment for delivery routing purposes, where the technical envelope sender differs from the brand display From address

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN LOWER("operationname") ILIKE '%new-inboxrule%' OR LOWER("operationname") ILIKE '%set-inboxrule%' AND LOWER("params") ILIKE '%forwardto%' THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE (LOWER("operationname") ILIKE '%new-inboxrule%' OR LOWER("operationname") ILIKE '%set-inboxrule%' AND LOWER("params") ILIKE '%forwardto%')
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

QRadar AQL detection for Phishing for Information (T1598). SQL-like syntax queries the QRadar events store, correlating log source telemetry with risk scoring to surface reconnaissance and attack patterns. Filters out noise from internal SIM and rule engine log sources.

high severity medium confidence

Data Sources

QRadar SIEM Windows Security Events Network Firewall Logs Syslog

Required Tables

events

False Positives

Security awareness training platforms (KnowBe4, Proofpoint Security Awareness Training) sending simulated phishing emails with intentional urgency language — add their sending domains to an exclusion list
Legitimate password reset and account verification emails from external SaaS vendors (Okta, Salesforce, ServiceNow) that use 'verify your account' or 'urgent action' language — add known-good vendor domains to TrustedDomains
Marketing automation platforms (Mailchimp, HubSpot, Marketo) using display-name spoofing where MailFrom belongs to the ESP but From shows the client company brand — causing SpoofedSender false positives
Bulk email systems with legitimate SPF misalignment for delivery routing purposes, where the technical envelope sender differs from the brand display From address

Sumo Logic CSE

sql

_sourceCategory=*o365* OR _sourceCategory=*exchange* OR _sourceCategory=*email*
| json auto
| where Operation in ("New-InboxRule","Set-InboxRule")
| where params matches "*ForwardTo*" or params matches "*RedirectTo*"
| where !(params matches "*.onmicrosoft.com*")
| count by UserId, ClientIP, Operation, params

Sumo Logic detection for Phishing for Information (T1598). Uses _sourceCategory path filtering for flexible log routing compatibility, with JSON field extraction and statistical aggregation to surface phishing for information patterns. Designed for the Sumo Logic Cloud SIEM platform.

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Log Sources via Sumo Logic Collector

Required Tables

o365/exchange microsoft/exchange

False Positives

Security awareness training platforms (KnowBe4, Proofpoint Security Awareness Training) sending simulated phishing emails with intentional urgency language — add their sending domains to an exclusion list
Legitimate password reset and account verification emails from external SaaS vendors (Okta, Salesforce, ServiceNow) that use 'verify your account' or 'urgent action' language — add known-good vendor domains to TrustedDomains
Marketing automation platforms (Mailchimp, HubSpot, Marketo) using display-name spoofing where MailFrom belongs to the ESP but From shows the client company brand — causing SpoofedSender false positives
Bulk email systems with legitimate SPF misalignment for delivery routing purposes, where the technical envelope sender differs from the brand display From address

Google Chronicle / SecOps

yaral

rule t1598_phishing_for_information {
  meta:
    author = "df00tech"
    description = "Detects phishing-for-information indicators via inbox forwarding and risk signins"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1598"
    confidence = "medium"
    severity = "high"
  events:
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.metadata.product_name = "Office 365"
    $e.metadata.product_event_type = /New-InboxRule|Set-InboxRule/
    re.regex($e.about.labels["Parameters"], `(?i)ForwardTo|RedirectTo`)
  condition:
    $e
}

Google Chronicle YARA-L 2.0 detection rule for Phishing for Information (T1598). Uses Unified Data Model (UDM) event field mappings to detect the same behavioral patterns as the KQL rule, with Chronicle's temporal matching and entity correlation capabilities.

high severity medium confidence

Data Sources

Google Chronicle SIEM Chronicle UDM

Required Tables

EMAIL_TRANSACTION

False Positives

Security awareness training platforms (KnowBe4, Proofpoint Security Awareness Training) sending simulated phishing emails with intentional urgency language — add their sending domains to an exclusion list
Legitimate password reset and account verification emails from external SaaS vendors (Okta, Salesforce, ServiceNow) that use 'verify your account' or 'urgent action' language — add known-good vendor domains to TrustedDomains
Marketing automation platforms (Mailchimp, HubSpot, Marketo) using display-name spoofing where MailFrom belongs to the ESP but From shows the client company brand — causing SpoofedSender false positives
Bulk email systems with legitimate SPF misalignment for delivery routing purposes, where the technical envelope sender differs from the brand display From address

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ["UserLogon", "UserIdentityUpdate"]
| UserName = /./
| case {
    RemoteAddressIP4 = /^(tor|vpn|proxy)/i => TechniqueLabel := "T1598 - AnonNetwork";
    * => TechniqueLabel := "T1598 - HighRiskSignin"
  }
| table([@timestamp, ComputerName, UserName, RemoteAddressIP4, TechniqueLabel])

CrowdStrike LogScale (Falcon) CQL detection for Phishing for Information (T1598). Uses CrowdStrike event simpleName taxonomy with regex-based field filtering, groupBy aggregation, and case-based risk classification. Designed for the Falcon platform's LogScale query language.

high severity medium confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale

Required Tables

InboundEmail ProcessRollup2

False Positives

Security awareness training platforms (KnowBe4, Proofpoint Security Awareness Training) sending simulated phishing emails with intentional urgency language — add their sending domains to an exclusion list
Legitimate password reset and account verification emails from external SaaS vendors (Okta, Salesforce, ServiceNow) that use 'verify your account' or 'urgent action' language — add known-good vendor domains to TrustedDomains
Marketing automation platforms (Mailchimp, HubSpot, Marketo) using display-name spoofing where MailFrom belongs to the ESP but From shows the client company brand — causing SpoofedSender false positives
Bulk email systems with legitimate SPF misalignment for delivery routing purposes, where the technical envelope sender differs from the brand display From address

Phishing for Information

What is T1598 Phishing for Information?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1598

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (4)

Related Techniques

Same Tactic: Reconnaissance

Popular Detections

What is T1598 Phishing for Information?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1598

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (4)

Related Techniques

Same Tactic: Reconnaissance

Popular Detections

Get new detections in your inbox