T1598.003 CrowdStrike LogScale · LogScale

Detect Spearphishing Link in CrowdStrike LogScale

Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. The malicious emails contain links to clone login portals, credential harvesting sites, or adversary-in-the-middle (AiTM) proxy infrastructure such as EvilProxy and Evilginx2. Attackers may also use QR codes (quishing) to bypass email URL scanners, embed tracking pixels and web beacons to verify email delivery and profile victims (IP address, email client, OS), or conduct browser-in-the-browser (BitB) attacks that display fake browser popups mimicking legitimate login pages. URL obfuscation techniques include using the @ symbol (http://[email protected] routes to malicious.com), integer- or hex-encoded hostnames, and URL shorteners to bypass static block lists. Groups including APT28, Kimsuky, Sidewinder, Scattered Spider, Silent Librarian, and Sandworm Team are known to use this technique extensively for credential harvesting before initial access.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1598 Phishing for Information
Sub-technique
T1598.003 Spearphishing Link
Canonical reference
https://attack.mitre.org/techniques/T1598/003/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = "EmailDetected"
| Direction = "Inbound"
| case {
    Subject = /password|credential|verify|account/i => TechniqueLabel := "T1598.003 - PhishingKeyword";
    * => TechniqueLabel := "T1598.003 - PhishingAttempt"
  }
| table([@timestamp, ComputerName, SenderAddress, RecipientAddress, Subject, TechniqueLabel])
high severity medium confidence

CrowdStrike LogScale (Falcon) CQL detection for Spearphishing Link (T1598.003). Uses CrowdStrike event simpleName taxonomy with regex-based field filtering, groupBy aggregation, and case-based risk classification. Designed for the Falcon platform's LogScale query language.

Data Sources

CrowdStrike FalconCrowdStrike LogScale

Required Tables

UserLogonProcessRollup2

False Positives & Tuning

  • Marketing emails from legitimate vendors using URL shorteners (bit.ly, ow.ly) and click-tracking redirectors for engagement analytics
  • Internal security awareness training phishing simulations from platforms such as KnowBe4, Proofpoint Security Awareness Training, or Cofense
  • Legitimate SaaS vendor password reset or onboarding emails containing 'login', 'verify', or 'account' keywords in URLs
  • Corporate newsletter or HR communication services using URL redirection for open and click tracking
Download portable Sigma rule (.yml)

Other platforms for T1598.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Phishing Link Click Simulation via Web Request

    Expected signal: Network logs: HTTP GET to /login path with URL query parameters matching phishing patterns ('token=', 'verify', 'source=email'). HTTP POST to same domain within seconds containing credential form fields. Web proxy (stream:http, CommonSecurityLog, Zscaler NSS) logs both requests. Endpoint DNS cache (ipconfig /displaydns) shows resolution of the phishing domain. If HTTPS inspection is enabled on the proxy, POST body contents are captured.

  2. Test 2Spearphishing Email with Tracking Pixel — SMTP Delivery Test

    Expected signal: SMTP server logs: email from '[email protected]' (lookalike domain). Email HTML body contains: (1) hyperlink to 'login.microsoft-accounts.info' with uid parameter, (2) 1x1 img tag pointing to 'track.microsoft-accounts.info' with recipient-unique uid and timestamp. In Microsoft 365, Defender for Office 365 would process the email and add the URLs to UrlClickEvents when pre-fetched by Safe Links. The X-Mailer spoofing 'Microsoft Outlook' is an additional header anomaly.

  3. Test 3URL Obfuscation via @ Symbol — Redirect Demonstration

    Expected signal: Web proxy / NGFW logs: HTTP GET request with URL containing '@' character in the authority component (pattern: http://legit-looking-text@<actual-destination>). The destination IP (127.0.0.1 in test; attacker IP in production) differs from the domain text before @. DNS resolution logs show NO query for 'accounts.google.com' because the browser uses the IP after @. Integer-encoded hostname test generates a connection to a 10-digit number as the host field in proxy logs — no FQDN resolution.

  4. Test 4QR Code Phishing (Quishing) URL Generation — Endpoint Detection Test

    Expected signal: Endpoint DNS logs: query for 'login.microsoftonline-secure.com' (lookalike domain) from the user's device when the QR code is scanned. Web proxy logs: HTTP GET to the domain with the path '/verify' and credential-related query parameters ('session=MFA-required', 'user='). Since the URL reaches the endpoint only after QR scan (not via email text), Microsoft Defender Safe Links will NOT pre-scan it — the DNS query and proxy GET are the first detection opportunities. Mobile device management (MDM) DNS logs or mobile threat defense (MTD) solutions would capture the domain query from the scanning device.

Last updated: 2026-03-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1598.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1598Phishing for Information

Related Sub-techniques

T1598.001Spearphishing ServiceT1598.002Spearphishing AttachmentT1598.004Spearphishing Voice

Related Techniques

T1598Phishing for InformationT1598.001Spearphishing ServiceT1598.002Spearphishing AttachmentT1566.002Spearphishing LinkT1539Steal Web Session CookieT1550.004Web Session CookieT1556.006Multi-Factor AuthenticationT1078.004Cloud AccountsT1585.002Email AccountsT1586.002Email Accounts

Same Tactic: Reconnaissance

Popular Detections