Detect Spearphishing Attachment in Microsoft Sentinel
Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information, frequently credentials, from targeted individuals. Unlike T1566 (execution-focused phishing), T1598.002 is a reconnaissance technique where the attachment itself—such as a credential-harvesting Office document, HTML smuggling page, or fake login portal—is designed to capture and exfiltrate user input back to the adversary. Threat actors including Dragonfly, Star Blizzard, and SideCopy have used this pattern to harvest credentials before or alongside intrusion campaigns. Detection focuses on email delivery telemetry, attachment characteristics (Office files with suspicious macros or embedded links, HTML files with form submissions), and anomalous authentication events that may indicate harvested credentials have been used.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1598 Phishing for Information
- Sub-technique
- T1598.002 Spearphishing Attachment
- Canonical reference
- https://attack.mitre.org/techniques/T1598/002/
KQL Detection Query
// Step 1: Identify inbound emails with high-risk attachment types targeting specific users
let HighRiskExtensions = dynamic(["html", "htm", "doc", "docm", "xls", "xlsm", "xlsb", "docx", "xlsx", "rtf", "pdf", "zip", "7z", "iso", "img"]);
let CredentialKeywords = dynamic([
"password", "credentials", "login", "verify", "account", "secure", "update",
"invoice", "shared", "document", "review", "confirm", "urgent", "important"
]);
let SuspiciousAttachments = EmailAttachmentInfo
| where Timestamp > ago(7d)
| where FileType in~ (HighRiskExtensions)
| extend FileExtension = tostring(split(FileName, ".")[-1])
| extend IsHighRisk = FileExtension in~ (HighRiskExtensions)
| project NetworkMessageId, FileName, FileType, FileSize, SHA256, Timestamp;
let SuspiciousEmails = EmailEvents
| where Timestamp > ago(7d)
| where DeliveryAction !in ("Blocked", "Junked")
| where EmailDirection == "Inbound"
| where isnotempty(SenderFromAddress)
| extend SubjectLower = tolower(Subject)
| extend HasCredentialLure = SubjectLower has_any (CredentialKeywords)
| extend SuspiciousSender = SenderFromDomain != SenderMailFromDomain
| extend FreemailSender = SenderFromDomain in~ ("gmail.com", "yahoo.com", "hotmail.com", "outlook.com", "protonmail.com", "tutanota.com")
| project Timestamp, NetworkMessageId, SenderFromAddress, SenderFromDomain, SenderMailFromDomain,
RecipientEmailAddress, Subject, HasCredentialLure, SuspiciousSender, FreemailSender,
AuthenticationDetails, DeliveryAction, SpamFilteringVerdict;
// Step 2: Join to find suspicious emails with high-risk attachments
SuspiciousEmails
| join kind=inner SuspiciousAttachments on NetworkMessageId
| extend RiskScore = toint(HasCredentialLure) + toint(SuspiciousSender) + toint(FreemailSender)
| where RiskScore >= 1 or FileType in~ ("html", "htm", "docm", "xlsm", "xlsb")
| project Timestamp, SenderFromAddress, SenderFromDomain, SenderMailFromDomain,
RecipientEmailAddress, Subject, FileName, FileType, SHA256,
HasCredentialLure, SuspiciousSender, FreemailSender, RiskScore,
AuthenticationDetails, DeliveryAction
| sort by Timestamp descDetects inbound spearphishing emails with suspicious attachments using Microsoft 365 Defender Advanced Hunting tables EmailEvents and EmailAttachmentInfo. Identifies high-risk attachment types (HTML smuggling files, macro-enabled Office documents, archives), credential-lure keywords in subject lines, sender domain mismatches (From vs Mail From header spoofing), and freemail sender domains. Calculates a composite risk score to prioritize alerts. Requires Microsoft 365 Defender with email telemetry enabled.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate business partners sending signed invoices or HR onboarding documents via freemail addresses (contractors, freelancers)
- Internal IT teams sending security awareness test emails with credential-harvesting lures as part of phishing simulation programs
- Newsletters and marketing emails with HTML attachments that contain form elements for preference updates
- Financial institutions sending account statements as password-protected ZIP archives or PDF attachments with credential-related subjects
Other platforms for T1598.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Generate HTML Smuggling Credential Harvesting Attachment
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with command containing 'Out-File' and 'html'. Sysmon Event ID 11: File Create for T1598002-test-lure.html in %TEMP%. PowerShell ScriptBlock Logging Event ID 4104 captures the full script including the HTML content. No network telemetry unless a real server URL is substituted.
- Test 2Send Spearphishing Email with Macro-Enabled Document Attachment via PowerShell
Expected signal: Exchange MessageTrace log: inbound message with subject 'URGENT: Q1 Invoice Requires Your Review', attachment 'invoice-Q1.xlsm'. Office 365 Management Activity log: MessageReceived operation for the test mailbox. Microsoft Defender for Office 365: SafeAttachments policy evaluates the .xlsm file. If Safe Attachments is configured to detonate, a detonation event appears in Threat Explorer.
- Test 3Phishery-style DOCX with Credential Capture Template Injection
Expected signal: File Create: Sysmon Event ID 11 for the .docx file in %TEMP%. If the file is opened: Sysmon Event ID 3 (Network Connection) from WINWORD.EXE to 127.0.0.1 over SMB port 445 as Windows attempts NTLM authentication to retrieve the template. Sysmon Event ID 22 (DNS Query) if a hostname is used rather than IP. Security Event ID 4624/4625 for the NTLM authentication attempt. In a real attack scenario with a remote attacker IP, Responder or Impacket ntlmrelayx would capture the Net-NTLMv2 hash.
References (10)
- https://attack.mitre.org/techniques/T1598/002/
- https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
- https://www.huntress.com/blog/smugglers-gambit-uncovering-html-smuggling-adversary-in-the-middle-tradecraft
- https://github.com/ryhanson/phishery
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection
- https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-about
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailattachmentinfo-table
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1598.002/T1598.002.md
Unlock Pro Content
Get the full detection package for T1598.002 including response playbook, investigation guide, and atomic red team tests.