Detect Spearphishing Attachment in Splunk
Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information, frequently credentials, from targeted individuals. Unlike T1566 (execution-focused phishing), T1598.002 is a reconnaissance technique where the attachment itself—such as a credential-harvesting Office document, HTML smuggling page, or fake login portal—is designed to capture and exfiltrate user input back to the adversary. Threat actors including Dragonfly, Star Blizzard, and SideCopy have used this pattern to harvest credentials before or alongside intrusion campaigns. Detection focuses on email delivery telemetry, attachment characteristics (Office files with suspicious macros or embedded links, HTML files with form submissions), and anomalous authentication events that may indicate harvested credentials have been used.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1598 Phishing for Information
- Sub-technique
- T1598.002 Spearphishing Attachment
- Canonical reference
- https://attack.mitre.org/techniques/T1598/002/
SPL Detection Query
index=o365 sourcetype="o365:management:activity" Workload=Exchange Operation=MessageReceived
| eval RecipientAddress=lower(coalesce(RecipientAddress, tostring('ExternalAccess.RecipientAddress')))
| eval SenderAddress=lower(coalesce(SenderAddress, ""))
| eval Subject=lower(coalesce(Subject, ""))
| eval AttachmentList=coalesce(AttachmentNames, "")
| eval HasHighRiskAttachment=if(match(AttachmentList, "\.(html?|docm?|xlsm?|xlsb|rtf|iso|img|7z|zip)$"), 1, 0)
| eval HasCredentialLure=if(match(Subject, "(password|credential|login|verify|account|secure|update|invoice|urgent|confirm|review)"), 1, 0)
| eval IsFreemailSender=if(match(SenderAddress, "@(gmail|yahoo|hotmail|outlook|protonmail|tutanota|zoho)\."), 1, 0)
| eval HasHTMLAttachment=if(match(AttachmentList, "\.html?$"), 1, 0)
| eval HasMacroDoc=if(match(AttachmentList, "\.(docm|xlsm|xlsb|xltm)"), 1, 0)
| eval RiskScore=HasHighRiskAttachment + HasCredentialLure + IsFreemailSender + HasHTMLAttachment + HasMacroDoc
| where RiskScore >= 2 OR HasHTMLAttachment=1 OR HasMacroDoc=1
| stats count as MessageCount,
values(Subject) as Subjects,
values(AttachmentList) as Attachments,
dc(RecipientAddress) as UniqueRecipients,
values(RecipientAddress) as Recipients,
max(RiskScore) as MaxRiskScore
by SenderAddress, IsFreemailSender, HasCredentialLure, HasHTMLAttachment, HasMacroDoc
| where UniqueRecipients >= 1
| sort - MaxRiskScore, - MessageCount
| table SenderAddress, Subjects, Attachments, Recipients, UniqueRecipients, MessageCount, MaxRiskScore, HasCredentialLure, HasHTMLAttachment, HasMacroDoc, IsFreemailSenderDetects spearphishing attachment delivery using Office 365 Management Activity logs ingested into Splunk. Identifies inbound messages with high-risk attachment types (HTML files for credential harvesting/HTML smuggling, macro-enabled Office documents), credential-lure keywords in subjects, and freemail sender domains. Risk scoring prioritizes alerts by aggregating multiple suspicious indicators. Groups by sender to identify targeted campaigns delivering to multiple recipients.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate external partners and contractors sending business documents via personal email addresses
- IT security teams running authorized phishing simulation campaigns (KnowBe4, Proofpoint Security Awareness, Cofense)
- HR systems sending onboarding documents with credential-related subjects to new employees
- Vendor invoicing systems that send macro-enabled Excel files for billing purposes
Other platforms for T1598.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Generate HTML Smuggling Credential Harvesting Attachment
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with command containing 'Out-File' and 'html'. Sysmon Event ID 11: File Create for T1598002-test-lure.html in %TEMP%. PowerShell ScriptBlock Logging Event ID 4104 captures the full script including the HTML content. No network telemetry unless a real server URL is substituted.
- Test 2Send Spearphishing Email with Macro-Enabled Document Attachment via PowerShell
Expected signal: Exchange MessageTrace log: inbound message with subject 'URGENT: Q1 Invoice Requires Your Review', attachment 'invoice-Q1.xlsm'. Office 365 Management Activity log: MessageReceived operation for the test mailbox. Microsoft Defender for Office 365: SafeAttachments policy evaluates the .xlsm file. If Safe Attachments is configured to detonate, a detonation event appears in Threat Explorer.
- Test 3Phishery-style DOCX with Credential Capture Template Injection
Expected signal: File Create: Sysmon Event ID 11 for the .docx file in %TEMP%. If the file is opened: Sysmon Event ID 3 (Network Connection) from WINWORD.EXE to 127.0.0.1 over SMB port 445 as Windows attempts NTLM authentication to retrieve the template. Sysmon Event ID 22 (DNS Query) if a hostname is used rather than IP. Security Event ID 4624/4625 for the NTLM authentication attempt. In a real attack scenario with a remote attacker IP, Responder or Impacket ntlmrelayx would capture the Net-NTLMv2 hash.
References (10)
- https://attack.mitre.org/techniques/T1598/002/
- https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
- https://www.huntress.com/blog/smugglers-gambit-uncovering-html-smuggling-adversary-in-the-middle-tradecraft
- https://github.com/ryhanson/phishery
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection
- https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-about
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailattachmentinfo-table
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1598.002/T1598.002.md
Unlock Pro Content
Get the full detection package for T1598.002 including response playbook, investigation guide, and atomic red team tests.