Spearphishing Attachment

// Step 1: Identify inbound emails with high-risk attachment types targeting specific users
let HighRiskExtensions = dynamic(["html", "htm", "doc", "docm", "xls", "xlsm", "xlsb", "docx", "xlsx", "rtf", "pdf", "zip", "7z", "iso", "img"]);
let CredentialKeywords = dynamic([
  "password", "credentials", "login", "verify", "account", "secure", "update",
  "invoice", "shared", "document", "review", "confirm", "urgent", "important"
]);
let SuspiciousAttachments = EmailAttachmentInfo
| where Timestamp > ago(7d)
| where FileType in~ (HighRiskExtensions)
| extend FileExtension = tostring(split(FileName, ".")[-1])
| extend IsHighRisk = FileExtension in~ (HighRiskExtensions)
| project NetworkMessageId, FileName, FileType, FileSize, SHA256, Timestamp;
let SuspiciousEmails = EmailEvents
| where Timestamp > ago(7d)
| where DeliveryAction !in ("Blocked", "Junked")
| where EmailDirection == "Inbound"
| where isnotempty(SenderFromAddress)
| extend SubjectLower = tolower(Subject)
| extend HasCredentialLure = SubjectLower has_any (CredentialKeywords)
| extend SuspiciousSender = SenderFromDomain != SenderMailFromDomain
| extend FreemailSender = SenderFromDomain in~ ("gmail.com", "yahoo.com", "hotmail.com", "outlook.com", "protonmail.com", "tutanota.com")
| project Timestamp, NetworkMessageId, SenderFromAddress, SenderFromDomain, SenderMailFromDomain,
         RecipientEmailAddress, Subject, HasCredentialLure, SuspiciousSender, FreemailSender,
         AuthenticationDetails, DeliveryAction, SpamFilteringVerdict;
// Step 2: Join to find suspicious emails with high-risk attachments
SuspiciousEmails
| join kind=inner SuspiciousAttachments on NetworkMessageId
| extend RiskScore = toint(HasCredentialLure) + toint(SuspiciousSender) + toint(FreemailSender)
| where RiskScore >= 1 or FileType in~ ("html", "htm", "docm", "xlsm", "xlsb")
| project Timestamp, SenderFromAddress, SenderFromDomain, SenderMailFromDomain,
         RecipientEmailAddress, Subject, FileName, FileType, SHA256,
         HasCredentialLure, SuspiciousSender, FreemailSender, RiskScore,
         AuthenticationDetails, DeliveryAction
| sort by Timestamp desc

index=o365 sourcetype="o365:management:activity" Workload=Exchange Operation=MessageReceived
| eval RecipientAddress=lower(coalesce(RecipientAddress, tostring('ExternalAccess.RecipientAddress')))
| eval SenderAddress=lower(coalesce(SenderAddress, ""))
| eval Subject=lower(coalesce(Subject, ""))
| eval AttachmentList=coalesce(AttachmentNames, "")
| eval HasHighRiskAttachment=if(match(AttachmentList, "\.(html?|docm?|xlsm?|xlsb|rtf|iso|img|7z|zip)$"), 1, 0)
| eval HasCredentialLure=if(match(Subject, "(password|credential|login|verify|account|secure|update|invoice|urgent|confirm|review)"), 1, 0)
| eval IsFreemailSender=if(match(SenderAddress, "@(gmail|yahoo|hotmail|outlook|protonmail|tutanota|zoho)\."), 1, 0)
| eval HasHTMLAttachment=if(match(AttachmentList, "\.html?$"), 1, 0)
| eval HasMacroDoc=if(match(AttachmentList, "\.(docm|xlsm|xlsb|xltm)"), 1, 0)
| eval RiskScore=HasHighRiskAttachment + HasCredentialLure + IsFreemailSender + HasHTMLAttachment + HasMacroDoc
| where RiskScore >= 2 OR HasHTMLAttachment=1 OR HasMacroDoc=1
| stats count as MessageCount, 
        values(Subject) as Subjects, 
        values(AttachmentList) as Attachments, 
        dc(RecipientAddress) as UniqueRecipients,
        values(RecipientAddress) as Recipients,
        max(RiskScore) as MaxRiskScore
        by SenderAddress, IsFreemailSender, HasCredentialLure, HasHTMLAttachment, HasMacroDoc
| where UniqueRecipients >= 1
| sort - MaxRiskScore, - MessageCount
| table SenderAddress, Subjects, Attachments, Recipients, UniqueRecipients, MessageCount, MaxRiskScore, HasCredentialLure, HasHTMLAttachment, HasMacroDoc, IsFreemailSender

// T1598.002 — Spearphishing Attachment
any where event.dataset : "o365.exchange"
  and email.direction == "inbound"
  and email.attachments.file.extension : (
    "html", "htm", "doc", "docm", "xls", "xlsm", "xlsb",
    "rtf", "pdf", "zip", "7z", "iso", "img"
  )
  and email.subject : (
    "*password*", "*credentials*", "*login*", "*verify*",
    "*account*", "*secure*", "*update*"
  )

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN LOWER("subject") ILIKE '%password%' OR LOWER("subject") ILIKE '%credentials%' OR LOWER("subject") ILIKE '%verify%' AND LOWER("attachmentextension") IN ('html','doc','docm','xls','xlsm','zip','iso') THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE (LOWER("subject") ILIKE '%password%' OR LOWER("subject") ILIKE '%credentials%' OR LOWER("subject") ILIKE '%verify%' AND LOWER("attachmentextension") IN ('html','doc','docm','xls','xlsm','zip','iso'))
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

_sourceCategory=*o365* OR _sourceCategory=*exchange*
| json auto
| where emailDirection = "Inbound"
| count by SenderFromAddress, RecipientEmailAddress, Subject

rule t1598_002_spearphishing_attachment {
  meta:
    author = "df00tech"
    description = "Detects Spearphishing Attachment (T1598.002)"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1598.002"
    confidence = "medium"
    severity = "high"
  events:
    $e.metadata.event_type = "EMAIL_TRANSACTION"
    $e.network.email.from != ""
  condition:
    $e
}

#event_simpleName = "EmailDetected"
| Direction = "Inbound"
| case {
    Subject = /password|credential|verify|account/i => TechniqueLabel := "T1598.002 - PhishingKeyword";
    * => TechniqueLabel := "T1598.002 - PhishingAttempt"
  }
| table([@timestamp, ComputerName, SenderAddress, RecipientAddress, Subject, TechniqueLabel])