T1598.001 Spearphishing Service Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Branch 1: High-risk Azure AD sign-ins — potential credential use after social media spearphishing
let HighRiskSignins = SigninLogs
| where TimeGenerated > ago(24h)
| where RiskLevelDuringSignIn in ("high", "medium") or RiskState == "atRisk"
| extend DetectionBranch = "HighRiskSignin"
| extend Details = strcat("App:", AppDisplayName, " RiskLevel:", RiskLevelDuringSignIn, " RiskDetail:", tostring(RiskDetail), " Location:", tostring(LocationDetails.countryOrRegion), " ASN:", tostring(AutonomousSystemNumber))
| project TimeGenerated, UserPrincipalName, SourceIP = IPAddress, DetectionBranch, Details;
// Branch 2: Inbox forwarding rules created to external addresses — post-compromise persistence after credential harvest
let InboxForwardingRules = OfficeActivity
| where TimeGenerated > ago(24h)
| where Operation in ("New-InboxRule", "Set-InboxRule")
| extend Params = tostring(Parameters)
| where Params has_any ("ForwardTo", "ForwardAsAttachmentTo", "RedirectTo")
| where Params !contains ".onmicrosoft.com"
| extend DetectionBranch = "InboxForwardingRule"
| extend Details = strcat("Operation:", Operation, " RuleParams:", Params)
| project TimeGenerated, UserPrincipalName = UserId, SourceIP = ClientIP, DetectionBranch, Details;
// Branch 3: MFA / security info changes — adversary modifies authentication after gaining access via harvested credentials
let SecurityInfoChanges = AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName in ("User registered security info", "User deleted security info", "User changed default security info")
| extend TargetUser = tostring(TargetResources[0].userPrincipalName)
| extend InitiatedByUser = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatedByIP = tostring(InitiatedBy.user.ipAddress)
| extend DetectionBranch = "SecurityInfoChanged"
| extend Details = strcat("Operation:", OperationName, " InitiatedBy:", InitiatedByUser, " Target:", TargetUser)
| project TimeGenerated, UserPrincipalName = TargetUser, SourceIP = InitiatedByIP, DetectionBranch, Details;
HighRiskSignins
| union InboxForwardingRules
| union SecurityInfoChanges
| sort by TimeGenerated desc

medium severity low confidence

Data Sources

Application Log: Application Log Content Network Traffic: Network Traffic Content Microsoft Azure Active Directory Sign-In Logs Office 365 Unified Audit Logs Azure Active Directory Audit Logs

Required Tables

SigninLogs OfficeActivity AuditLogs

False Positives

Employees logging in from personal devices, travel locations, or via commercial VPNs generating high-risk sign-in events in Azure AD Identity Protection
Legitimate inbox forwarding rules created by users to route work email to personal accounts in BYOD environments where this is policy-permitted
IT helpdesk-initiated MFA resets during support tickets generating security info change audit events under the user's context
Corporate travel to new countries generating impossible-travel and new-ASN risk detections with no malicious activity
Automated SOAR playbooks or onboarding workflows that modify MFA settings and create inbox rules as part of approved provisioning processes

Splunk

spl

index=o365 sourcetype="o365:management:activity" Operation IN ("New-InboxRule", "Set-InboxRule")
| eval params=mvjoin('Parameters{}.Value', " ")
| where match(params, "(?i)(forwardto|forwardasattachmentto|redirectto)")
| where NOT match(params, "(?i)(\.onmicrosoft\.com|yourdomain\.com)")
| eval DetectionBranch="InboxForwardingRule", UserAccount=UserId
| table _time, UserAccount, Operation, params, ClientIP, DetectionBranch
| append [
    search index=azure sourcetype="azure:aad:signin" riskLevelDuringSignIn IN ("high", "medium")
    | eval DetectionBranch="HighRiskSignin"
    | eval UserAccount=userPrincipalName
    | eval LocationInfo=location.countryOrRegion
    | table _time, UserAccount, appDisplayName, ipAddress, LocationInfo, riskState, riskDetail, DetectionBranch
]
| append [
    search index=azure sourcetype="azure:aad:audit" operationName IN ("User registered security info", "User deleted security info", "User changed default security info")
    | eval TargetUser=mvindex('targetResources{}.userPrincipalName', 0)
    | eval InitiatedBy=mvindex('initiatedBy.user.userPrincipalName', 0)
    | eval DetectionBranch="SecurityInfoChanged", UserAccount=TargetUser
    | table _time, UserAccount, operationName, InitiatedBy, result, DetectionBranch
]
| sort - _time

medium severity low confidence

Data Sources

Application Log: Application Log Content Office 365 Management Activity Azure Active Directory Sign-In Logs Azure Active Directory Audit Logs

Required Sourcetypes

o365:management:activity azure:aad:signin azure:aad:audit

False Positives

Users in BYOD environments creating legitimate inbox rules to forward work email to personal free email accounts
International employees or frequent travelers triggering high-risk sign-in events from new countries and ASNs
IT administrators performing bulk MFA enrollment changes for new joiners or device refresh programs
Microsoft Identity Protection false positives for corporate VPN egress nodes that are flagged as anonymized IPs
SOAR automation accounts triggering inbox rule creation events as part of approved phishing simulation workflows

Elastic Security (EQL)

eql

// T1598.001 — Spearphishing via Service
any where event.dataset : "azure.signinlogs"
  and azure.signinlogs.properties.risk_level_during_sign_in in ("high", "medium")
  or (event.dataset : "o365.audit"
    and event.action in ("New-InboxRule", "Set-InboxRule")
    and message : ("ForwardTo", "ForwardAsAttachmentTo", "RedirectTo"))

medium severity low confidence

Data Sources

Azure Active Directory Microsoft 365

Required Tables

logs-azure.* logs-azure.signinlogs-*

False Positives

Employees logging in from personal devices, travel locations, or via commercial VPNs generating high-risk sign-in events in Azure AD Identity Protection
Legitimate inbox forwarding rules created by users to route work email to personal accounts in BYOD environments where this is policy-permitted
IT helpdesk-initiated MFA resets during support tickets generating security info change audit events under the user's context
Corporate travel to new countries generating impossible-travel and new-ASN risk detections with no malicious activity

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN "risklevelduringsignin" IN ('high', 'medium') OR (LOWER("operationname") ILIKE '%new-inboxrule%' AND LOWER("params") ILIKE '%forwardto%') THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE ("risklevelduringsignin" IN ('high', 'medium') OR (LOWER("operationname") ILIKE '%new-inboxrule%' AND LOWER("params") ILIKE '%forwardto%'))
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

medium severity low confidence

Data Sources

QRadar SIEM Windows Security Events Network Firewall Logs Syslog

Required Tables

events

False Positives

Employees logging in from personal devices, travel locations, or via commercial VPNs generating high-risk sign-in events in Azure AD Identity Protection
Legitimate inbox forwarding rules created by users to route work email to personal accounts in BYOD environments where this is policy-permitted
IT helpdesk-initiated MFA resets during support tickets generating security info change audit events under the user's context
Corporate travel to new countries generating impossible-travel and new-ASN risk detections with no malicious activity

Sumo Logic CSE

sql

_sourceCategory=*azure* OR _sourceCategory=*aad*
| json auto
| where isNotNull(userPrincipalName)
| count by userPrincipalName, ipAddress, appDisplayName
| sort by _count desc

medium severity low confidence

Data Sources

Sumo Logic Cloud SIEM Log Sources via Sumo Logic Collector

Required Tables

azure/activedirectory azure/signinlogs

False Positives

Employees logging in from personal devices, travel locations, or via commercial VPNs generating high-risk sign-in events in Azure AD Identity Protection
Legitimate inbox forwarding rules created by users to route work email to personal accounts in BYOD environments where this is policy-permitted
IT helpdesk-initiated MFA resets during support tickets generating security info change audit events under the user's context
Corporate travel to new countries generating impossible-travel and new-ASN risk detections with no malicious activity

Google Chronicle / SecOps

yaral

rule t1598_001_spearphishing_service {
  meta:
    author = "df00tech"
    description = "Detects post-compromise indicators from spearphishing via third-party services"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1598.001"
    confidence = "low"
    severity = "medium"
  events:
    $e.metadata.event_type = "USER_LOGIN"
    $e.metadata.product_name = "Azure Active Directory"
    $e.security_result.risk_score > 60
  condition:
    $e
}

medium severity low confidence

Data Sources

Google Chronicle SIEM Chronicle UDM

Required Tables

USER_LOGIN USER_RESOURCE_ACCESS

False Positives

Employees logging in from personal devices, travel locations, or via commercial VPNs generating high-risk sign-in events in Azure AD Identity Protection
Legitimate inbox forwarding rules created by users to route work email to personal accounts in BYOD environments where this is policy-permitted
IT helpdesk-initiated MFA resets during support tickets generating security info change audit events under the user's context
Corporate travel to new countries generating impossible-travel and new-ASN risk detections with no malicious activity

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /python|curl|wget|nmap|masscan/i
| TechniqueLabel := "T1598.001 - Reconnaissance"
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, TechniqueLabel])

medium severity low confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale

Required Tables

UserLogon ProcessRollup2

False Positives

Employees logging in from personal devices, travel locations, or via commercial VPNs generating high-risk sign-in events in Azure AD Identity Protection
Legitimate inbox forwarding rules created by users to route work email to personal accounts in BYOD environments where this is policy-permitted
IT helpdesk-initiated MFA resets during support tickets generating security info change audit events under the user's context
Corporate travel to new countries generating impossible-travel and new-ASN risk detections with no malicious activity

Spearphishing Service

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections