Detect Spearphishing Attachment in IBM QRadar
Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information, frequently credentials, from targeted individuals. Unlike T1566 (execution-focused phishing), T1598.002 is a reconnaissance technique where the attachment itself—such as a credential-harvesting Office document, HTML smuggling page, or fake login portal—is designed to capture and exfiltrate user input back to the adversary. Threat actors including Dragonfly, Star Blizzard, and SideCopy have used this pattern to harvest credentials before or alongside intrusion campaigns. Detection focuses on email delivery telemetry, attachment characteristics (Office files with suspicious macros or embedded links, HTML files with form submissions), and anomalous authentication events that may indicate harvested credentials have been used.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1598 Phishing for Information
- Sub-technique
- T1598.002 Spearphishing Attachment
- Canonical reference
- https://attack.mitre.org/techniques/T1598/002/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
LOGSOURCENAME(logsourceid) AS "LogSource",
LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
"username", "sourceip", "destinationip",
"eventid", "deviceaction", "message",
CASE
WHEN LOWER("subject") ILIKE '%password%' OR LOWER("subject") ILIKE '%credentials%' OR LOWER("subject") ILIKE '%verify%' AND LOWER("attachmentextension") IN ('html','doc','docm','xls','xlsm','zip','iso') THEN 8
ELSE 4
END AS "RiskScore"
FROM events
WHERE (LOWER("subject") ILIKE '%password%' OR LOWER("subject") ILIKE '%credentials%' OR LOWER("subject") ILIKE '%verify%' AND LOWER("attachmentextension") IN ('html','doc','docm','xls','xlsm','zip','iso'))
AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
ORDER BY "RiskScore" DESC, "EventTime" DESC
LAST 24 HOURSQRadar AQL detection for Spearphishing Attachment (T1598.002). SQL-like syntax queries the QRadar events store, correlating log source telemetry with risk scoring to surface reconnaissance and attack patterns. Filters out noise from internal SIM and rule engine log sources.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate business partners sending signed invoices or HR onboarding documents via freemail addresses (contractors, freelancers)
- Internal IT teams sending security awareness test emails with credential-harvesting lures as part of phishing simulation programs
- Newsletters and marketing emails with HTML attachments that contain form elements for preference updates
- Financial institutions sending account statements as password-protected ZIP archives or PDF attachments with credential-related subjects
Other platforms for T1598.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Generate HTML Smuggling Credential Harvesting Attachment
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with command containing 'Out-File' and 'html'. Sysmon Event ID 11: File Create for T1598002-test-lure.html in %TEMP%. PowerShell ScriptBlock Logging Event ID 4104 captures the full script including the HTML content. No network telemetry unless a real server URL is substituted.
- Test 2Send Spearphishing Email with Macro-Enabled Document Attachment via PowerShell
Expected signal: Exchange MessageTrace log: inbound message with subject 'URGENT: Q1 Invoice Requires Your Review', attachment 'invoice-Q1.xlsm'. Office 365 Management Activity log: MessageReceived operation for the test mailbox. Microsoft Defender for Office 365: SafeAttachments policy evaluates the .xlsm file. If Safe Attachments is configured to detonate, a detonation event appears in Threat Explorer.
- Test 3Phishery-style DOCX with Credential Capture Template Injection
Expected signal: File Create: Sysmon Event ID 11 for the .docx file in %TEMP%. If the file is opened: Sysmon Event ID 3 (Network Connection) from WINWORD.EXE to 127.0.0.1 over SMB port 445 as Windows attempts NTLM authentication to retrieve the template. Sysmon Event ID 22 (DNS Query) if a hostname is used rather than IP. Security Event ID 4624/4625 for the NTLM authentication attempt. In a real attack scenario with a remote attacker IP, Responder or Impacket ntlmrelayx would capture the Net-NTLMv2 hash.
References (10)
- https://attack.mitre.org/techniques/T1598/002/
- https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
- https://www.huntress.com/blog/smugglers-gambit-uncovering-html-smuggling-adversary-in-the-middle-tradecraft
- https://github.com/ryhanson/phishery
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection
- https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-about
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailattachmentinfo-table
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1598.002/T1598.002.md
Unlock Pro Content
Get the full detection package for T1598.002 including response playbook, investigation guide, and atomic red team tests.