T1598.001 Splunk · SPL

Detect Spearphishing Service in Splunk

Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. This includes messages sent through social media platforms (LinkedIn, Twitter, Facebook, WhatsApp), personal webmail, and other non-enterprise controlled services. Adversaries create fake personas — often posing as recruiters, colleagues, or vendors — to build rapport with targets and extract credentials, security configurations, VPN details, or other actionable intelligence. Because these messages transit third-party platforms outside the victim's network perimeter, they generate no traditional endpoint or network telemetry on the victim side. Detection must focus on downstream indicators: post-harvest sign-in anomalies, inbox rule changes, MFA modifications, and OAuth consent grants.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1598 Phishing for Information
Sub-technique
T1598.001 Spearphishing Service
Canonical reference
https://attack.mitre.org/techniques/T1598/001/

SPL Detection Query

Splunk (SPL)
spl 
index=o365 sourcetype="o365:management:activity" Operation IN ("New-InboxRule", "Set-InboxRule")
| eval params=mvjoin('Parameters{}.Value', " ")
| where match(params, "(?i)(forwardto|forwardasattachmentto|redirectto)")
| where NOT match(params, "(?i)(\.onmicrosoft\.com|yourdomain\.com)")
| eval DetectionBranch="InboxForwardingRule", UserAccount=UserId
| table _time, UserAccount, Operation, params, ClientIP, DetectionBranch
| append [
    search index=azure sourcetype="azure:aad:signin" riskLevelDuringSignIn IN ("high", "medium")
    | eval DetectionBranch="HighRiskSignin"
    | eval UserAccount=userPrincipalName
    | eval LocationInfo=location.countryOrRegion
    | table _time, UserAccount, appDisplayName, ipAddress, LocationInfo, riskState, riskDetail, DetectionBranch
]
| append [
    search index=azure sourcetype="azure:aad:audit" operationName IN ("User registered security info", "User deleted security info", "User changed default security info")
    | eval TargetUser=mvindex('targetResources{}.userPrincipalName', 0)
    | eval InitiatedBy=mvindex('initiatedBy.user.userPrincipalName', 0)
    | eval DetectionBranch="SecurityInfoChanged", UserAccount=TargetUser
    | table _time, UserAccount, operationName, InitiatedBy, result, DetectionBranch
]
| sort - _time
medium severity low confidence

Multi-branch SPL detection using O365 Management Activity and Azure AD logs to identify post-spearphishing indicators. The primary search targets inbox forwarding rules to external domains in O365 Unified Audit Log. The first append branch captures high-risk Azure AD sign-in events indicating adversary use of harvested credentials. The second append branch detects MFA security info modifications performed by adversaries after obtaining initial access via social media-harvested credentials.

Data Sources

Application Log: Application Log ContentOffice 365 Management ActivityAzure Active Directory Sign-In LogsAzure Active Directory Audit Logs

Required Sourcetypes

o365:management:activityazure:aad:signinazure:aad:audit

False Positives & Tuning

  • Users in BYOD environments creating legitimate inbox rules to forward work email to personal free email accounts
  • International employees or frequent travelers triggering high-risk sign-in events from new countries and ASNs
  • IT administrators performing bulk MFA enrollment changes for new joiners or device refresh programs
  • Microsoft Identity Protection false positives for corporate VPN egress nodes that are flagged as anonymized IPs
  • SOAR automation accounts triggering inbox rule creation events as part of approved phishing simulation workflows
Download portable Sigma rule (.yml)

Other platforms for T1598.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Inbox Forwarding Rule Creation — Post-Credential-Harvest Persistence

    Expected signal: Office 365 Unified Audit Log within 5-15 minutes: Operation=New-InboxRule with [email protected] and Parameters containing [email protected]. OfficeActivity table in Microsoft Sentinel ingests this event. Azure AD Audit Log may also show an Exchange Online service action on behalf of the user.

  2. Test 2MFA Security Info Modification — Post-Harvest Account Takeover

    Expected signal: Azure AD Audit Logs within 2-5 minutes: OperationName=User registered security info with TargetResources showing the test user's UPN and the new method type. AuditLogs table in Microsoft Sentinel ingests this. InitiatedBy will show the admin account performing the action on behalf of the target user.

  3. Test 3Social Media OSINT Reconnaissance — Pre-Spearphishing Target Research

    Expected signal: No telemetry on victim network — this activity occurs entirely on adversary infrastructure and illustrates why T1598.001 generates zero direct victim-side indicators. If your organization has external brand monitoring (ZeroFox, Constella, Social Links), a mass enumeration of LinkedIn profiles may trigger a brand monitoring alert. DNS queries from the test system to linkedin.com will appear in recursive DNS logs if DNS logging is enabled.

  4. Test 4Credential Harvesting Page Deployment — Phishing Infrastructure Simulation

    Expected signal: If test users click the phishing link: proxy logs (CommonSecurityLog or web proxy sourcetype) show HTTP GET to the phishing page URL and HTTP POST with form data (captured credential submission). If DNS filtering is deployed, DNS queries to the phishing domain may be blocked and logged. If DLP is monitoring for password-pattern HTTP POSTs to non-corporate domains, a DLP alert fires. GoPhish dashboard records click timestamps and submitted credentials for campaign reporting.

Last updated: 2026-03-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1598.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1598Phishing for Information

Related Sub-techniques

T1598.002Spearphishing AttachmentT1598.003Spearphishing LinkT1598.004Spearphishing Voice

Related Techniques

T1598Phishing for InformationT1598.002Spearphishing AttachmentT1598.003Spearphishing LinkT1593.001Social MediaT1586.001Social Media AccountsT1585.001Social Media AccountsT1589.001CredentialsT1078Valid AccountsT1114.002Remote Email CollectionT1556Modify Authentication Process

Same Tactic: Reconnaissance

Popular Detections