T1598.003 Spearphishing Link Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousUrlKeywords = dynamic([
  "login", "signin", "secure", "verify", "account", "update",
  "portal", "password", "credential", "auth", "oauth", "sso",
  "microsoft", "office365", "outlook", "sharepoint", "onedrive",
  "google", "dropbox", "docusign", "adobe", "zoom"
]);
let UrlShorteners = dynamic([
  "bit.ly", "tinyurl.com", "t.co", "ow.ly", "goo.gl", "short.io",
  "tiny.cc", "is.gd", "buff.ly", "rebrand.ly", "cutt.ly"
]);
// Detect suspicious URL clicks from emails — potential credential harvesting or spearphishing
UrlClickEvents
| where Timestamp > ago(24h)
| where ActionType in ("ClickAllowed", "ClickBlocked")
| extend IsUrlShortener = UrlDomain has_any (UrlShorteners)
| extend HasCredentialKeyword = Url has_any (SuspiciousUrlKeywords)
| extend IsIPBasedUrl = UrlDomain matches regex @"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"
| extend IsObfuscatedUrl = Url contains "@" and (Url startswith "http://" or Url startswith "https://")
| extend IsHexOrIntegerHost = UrlDomain matches regex @"^0[xX][0-9a-fA-F]+$|^\d{8,10}$"
| extend SuspicionScore = toint(IsUrlShortener) + toint(HasCredentialKeyword) + toint(IsIPBasedUrl) + toint(IsObfuscatedUrl) + toint(IsHexOrIntegerHost)
| where SuspicionScore >= 1 or ActionType == "ClickBlocked"
| join kind=leftouter (
    EmailEvents
    | where Timestamp > ago(24h)
    | project NetworkMessageId, SenderFromAddress, SenderMailFromDomain, Subject, EmailDirection
) on NetworkMessageId
| project Timestamp, AccountUpn, SenderFromAddress, SenderMailFromDomain, Subject, Url, UrlDomain,
         ActionType, IsUrlShortener, HasCredentialKeyword, IsIPBasedUrl, IsObfuscatedUrl,
         IsHexOrIntegerHost, SuspicionScore
| sort by Timestamp desc

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Content Application Log: Application Log Content Microsoft 365 Defender for Office 365 — UrlClickEvents Microsoft 365 Defender for Office 365 — EmailEvents

Required Tables

UrlClickEvents EmailEvents

False Positives

Marketing emails from legitimate vendors using URL shorteners (bit.ly, ow.ly) and click-tracking redirectors for engagement analytics
Internal security awareness training phishing simulations from platforms such as KnowBe4, Proofpoint Security Awareness Training, or Cofense
Legitimate SaaS vendor password reset or onboarding emails containing 'login', 'verify', or 'account' keywords in URLs
Corporate newsletter or HR communication services using URL redirection for open and click tracking
Automated IT system notifications (Azure AD access reviews, Okta account alerts) containing authentication-related URL keywords

Splunk

spl

index=o365 sourcetype="o365:management:activity" Workload=Exchange
  (Operation="SafeLinksAction" OR Operation="UrlScanResult" OR Operation="TIUrlReputationCheck")
| eval url=coalesce(Url, Urls)
| eval recipient=coalesce(UserId, RecipientAddress)
| eval action=coalesce(Action, Verdict, ThreatStatus)
| where isnotnull(url) AND len(url) > 10
| rex field=url "^https?://(?P<domain>[^/?#]+)"
| eval is_url_shortener=if(match(domain, "(?i)(bit\.ly|tinyurl\.com|t\.co|ow\.ly|goo\.gl|short\.io|tiny\.cc|is\.gd|cutt\.ly|rebrand\.ly)"), 1, 0)
| eval has_cred_keyword=if(match(lower(url), "(login|signin|verify|credential|password|account|secure|auth|oauth|sso|microsoft|office365|outlook|sharepoint|dropbox|docusign|adobe|zoom)"), 1, 0)
| eval is_ip_url=if(match(domain, "^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}$"), 1, 0)
| eval is_obfuscated=if(match(url, "https?://[^@]+@"), 1, 0)
| eval is_hex_host=if(match(domain, "^0[xX][0-9a-fA-F]+$|^\\d{8,10}$"), 1, 0)
| eval suspicion_score=is_url_shortener + has_cred_keyword + is_ip_url + is_obfuscated + is_hex_host
| where suspicion_score >= 1 OR match(lower(coalesce(action,"")), "(block|phish|malicious|warn)")
| table _time, recipient, url, domain, action, is_url_shortener, has_cred_keyword, is_ip_url, is_obfuscated, suspicion_score
| sort - _time

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Content Application Log: Application Log Content Office 365 Management Activity API — Exchange Workload

Required Sourcetypes

o365:management:activity

False Positives

Marketing emails from legitimate vendors using URL shorteners and click-tracking redirectors for engagement analytics
Security awareness training phishing simulations (KnowBe4, Proofpoint Security Awareness, Cofense) using internal or external domains
Legitimate password reset emails from SaaS platforms triggering credential-related keyword matches in URL paths
Corporate newsletter or HR communication services with URL redirection for open and click tracking
Automated vendor onboarding emails with SSO or OAuth links matching authentication keyword patterns

Elastic Security (EQL)

eql

// T1598.003 — Spearphishing Link
any where event.dataset : "o365.exchange"
  and email.direction == "inbound"
  and email.links.url.full : (
    "*login*", "*signin*", "*secure*", "*verify*", "*account*",
    "*credential*", "*auth*", "*oauth*", "*sso*",
    "*microsoft*", "*office365*", "*sharepoint*"
  )
  and not email.sender.address : (
    "*@microsoft.com", "*@office.com", "*@google.com",
    "*@amazon.com", "*@github.com"
  )

high severity medium confidence

Data Sources

Azure Active Directory Microsoft 365

Required Tables

logs-azure.* logs-azure.signinlogs-*

False Positives

Marketing emails from legitimate vendors using URL shorteners (bit.ly, ow.ly) and click-tracking redirectors for engagement analytics
Internal security awareness training phishing simulations from platforms such as KnowBe4, Proofpoint Security Awareness Training, or Cofense
Legitimate SaaS vendor password reset or onboarding emails containing 'login', 'verify', or 'account' keywords in URLs
Corporate newsletter or HR communication services using URL redirection for open and click tracking

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN LOWER("subject") ILIKE '%verify%' OR LOWER("subject") ILIKE '%password%' OR LOWER("subject") ILIKE '%secure%' AND LOWER("urlsinsidebody") ILIKE '%login%' THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE (LOWER("subject") ILIKE '%verify%' OR LOWER("subject") ILIKE '%password%' OR LOWER("subject") ILIKE '%secure%' AND LOWER("urlsinsidebody") ILIKE '%login%')
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

high severity medium confidence

Data Sources

QRadar SIEM Windows Security Events Network Firewall Logs Syslog

Required Tables

events

False Positives

Marketing emails from legitimate vendors using URL shorteners (bit.ly, ow.ly) and click-tracking redirectors for engagement analytics
Internal security awareness training phishing simulations from platforms such as KnowBe4, Proofpoint Security Awareness Training, or Cofense
Legitimate SaaS vendor password reset or onboarding emails containing 'login', 'verify', or 'account' keywords in URLs
Corporate newsletter or HR communication services using URL redirection for open and click tracking

Sumo Logic CSE

sql

_sourceCategory=*azure* OR _sourceCategory=*aad*
| json auto
| where isNotNull(userPrincipalName)
| count by userPrincipalName, ipAddress, appDisplayName
| sort by _count desc

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Log Sources via Sumo Logic Collector

Required Tables

azure/activedirectory azure/signinlogs

False Positives

Marketing emails from legitimate vendors using URL shorteners (bit.ly, ow.ly) and click-tracking redirectors for engagement analytics
Internal security awareness training phishing simulations from platforms such as KnowBe4, Proofpoint Security Awareness Training, or Cofense
Legitimate SaaS vendor password reset or onboarding emails containing 'login', 'verify', or 'account' keywords in URLs
Corporate newsletter or HR communication services using URL redirection for open and click tracking

Google Chronicle / SecOps

yaral

rule t1598_003_spearphishing_link {
  meta:
    author = "df00tech"
    description = "Detects Spearphishing Link (T1598.003)"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1598.003"
    confidence = "medium"
    severity = "high"
  events:
    $e.metadata.event_type = "USER_LOGIN"
    $e.principal.user.userid != ""
  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Chronicle UDM

Required Tables

USER_LOGIN USER_RESOURCE_ACCESS

False Positives

Marketing emails from legitimate vendors using URL shorteners (bit.ly, ow.ly) and click-tracking redirectors for engagement analytics
Internal security awareness training phishing simulations from platforms such as KnowBe4, Proofpoint Security Awareness Training, or Cofense
Legitimate SaaS vendor password reset or onboarding emails containing 'login', 'verify', or 'account' keywords in URLs
Corporate newsletter or HR communication services using URL redirection for open and click tracking

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "EmailDetected"
| Direction = "Inbound"
| case {
    Subject = /password|credential|verify|account/i => TechniqueLabel := "T1598.003 - PhishingKeyword";
    * => TechniqueLabel := "T1598.003 - PhishingAttempt"
  }
| table([@timestamp, ComputerName, SenderAddress, RecipientAddress, Subject, TechniqueLabel])

high severity medium confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale

Required Tables

UserLogon ProcessRollup2

False Positives

Marketing emails from legitimate vendors using URL shorteners (bit.ly, ow.ly) and click-tracking redirectors for engagement analytics
Internal security awareness training phishing simulations from platforms such as KnowBe4, Proofpoint Security Awareness Training, or Cofense
Legitimate SaaS vendor password reset or onboarding emails containing 'login', 'verify', or 'account' keywords in URLs
Corporate newsletter or HR communication services using URL redirection for open and click tracking

Spearphishing Link

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections