Detect Spearphishing Link in IBM QRadar
Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. The malicious emails contain links to clone login portals, credential harvesting sites, or adversary-in-the-middle (AiTM) proxy infrastructure such as EvilProxy and Evilginx2. Attackers may also use QR codes (quishing) to bypass email URL scanners, embed tracking pixels and web beacons to verify email delivery and profile victims (IP address, email client, OS), or conduct browser-in-the-browser (BitB) attacks that display fake browser popups mimicking legitimate login pages. URL obfuscation techniques include using the @ symbol (http://[email protected] routes to malicious.com), integer- or hex-encoded hostnames, and URL shorteners to bypass static block lists. Groups including APT28, Kimsuky, Sidewinder, Scattered Spider, Silent Librarian, and Sandworm Team are known to use this technique extensively for credential harvesting before initial access.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1598 Phishing for Information
- Sub-technique
- T1598.003 Spearphishing Link
- Canonical reference
- https://attack.mitre.org/techniques/T1598/003/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
LOGSOURCENAME(logsourceid) AS "LogSource",
LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
"username", "sourceip", "destinationip",
"eventid", "deviceaction", "message",
CASE
WHEN LOWER("subject") ILIKE '%verify%' OR LOWER("subject") ILIKE '%password%' OR LOWER("subject") ILIKE '%secure%' AND LOWER("urlsinsidebody") ILIKE '%login%' THEN 8
ELSE 4
END AS "RiskScore"
FROM events
WHERE (LOWER("subject") ILIKE '%verify%' OR LOWER("subject") ILIKE '%password%' OR LOWER("subject") ILIKE '%secure%' AND LOWER("urlsinsidebody") ILIKE '%login%')
AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
ORDER BY "RiskScore" DESC, "EventTime" DESC
LAST 24 HOURSQRadar AQL detection for Spearphishing Link (T1598.003). SQL-like syntax queries the QRadar events store, correlating log source telemetry with risk scoring to surface reconnaissance and attack patterns. Filters out noise from internal SIM and rule engine log sources.
Data Sources
Required Tables
False Positives & Tuning
- Marketing emails from legitimate vendors using URL shorteners (bit.ly, ow.ly) and click-tracking redirectors for engagement analytics
- Internal security awareness training phishing simulations from platforms such as KnowBe4, Proofpoint Security Awareness Training, or Cofense
- Legitimate SaaS vendor password reset or onboarding emails containing 'login', 'verify', or 'account' keywords in URLs
- Corporate newsletter or HR communication services using URL redirection for open and click tracking
Other platforms for T1598.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Phishing Link Click Simulation via Web Request
Expected signal: Network logs: HTTP GET to /login path with URL query parameters matching phishing patterns ('token=', 'verify', 'source=email'). HTTP POST to same domain within seconds containing credential form fields. Web proxy (stream:http, CommonSecurityLog, Zscaler NSS) logs both requests. Endpoint DNS cache (ipconfig /displaydns) shows resolution of the phishing domain. If HTTPS inspection is enabled on the proxy, POST body contents are captured.
- Test 2Spearphishing Email with Tracking Pixel — SMTP Delivery Test
Expected signal: SMTP server logs: email from '[email protected]' (lookalike domain). Email HTML body contains: (1) hyperlink to 'login.microsoft-accounts.info' with uid parameter, (2) 1x1 img tag pointing to 'track.microsoft-accounts.info' with recipient-unique uid and timestamp. In Microsoft 365, Defender for Office 365 would process the email and add the URLs to UrlClickEvents when pre-fetched by Safe Links. The X-Mailer spoofing 'Microsoft Outlook' is an additional header anomaly.
- Test 3URL Obfuscation via @ Symbol — Redirect Demonstration
Expected signal: Web proxy / NGFW logs: HTTP GET request with URL containing '@' character in the authority component (pattern: http://legit-looking-text@<actual-destination>). The destination IP (127.0.0.1 in test; attacker IP in production) differs from the domain text before @. DNS resolution logs show NO query for 'accounts.google.com' because the browser uses the IP after @. Integer-encoded hostname test generates a connection to a 10-digit number as the host field in proxy logs — no FQDN resolution.
- Test 4QR Code Phishing (Quishing) URL Generation — Endpoint Detection Test
Expected signal: Endpoint DNS logs: query for 'login.microsoftonline-secure.com' (lookalike domain) from the user's device when the QR code is scanned. Web proxy logs: HTTP GET to the domain with the path '/verify' and credential-related query parameters ('session=MFA-required', 'user='). Since the URL reaches the endpoint only after QR scan (not via email text), Microsoft Defender Safe Links will NOT pre-scan it — the DNS query and proxy GET are the first detection opportunities. Mobile device management (MDM) DNS logs or mobile threat defense (MTD) solutions would capture the domain query from the scanning device.
References (12)
- https://attack.mitre.org/techniques/T1598/003/
- https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html
- https://mrd0x.com/browser-in-the-browser-phishing-attack/
- https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse
- https://csrc.nist.gov/glossary/term/web_bug
- https://en.ryte.com/wiki/Tracking_Pixel/
- https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-human-factor-report.pdf
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1598.003/T1598.003.md
- https://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials
Unlock Pro Content
Get the full detection package for T1598.003 including response playbook, investigation guide, and atomic red team tests.