Detect Spearphishing Link in Microsoft Sentinel
Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. The malicious emails contain links to clone login portals, credential harvesting sites, or adversary-in-the-middle (AiTM) proxy infrastructure such as EvilProxy and Evilginx2. Attackers may also use QR codes (quishing) to bypass email URL scanners, embed tracking pixels and web beacons to verify email delivery and profile victims (IP address, email client, OS), or conduct browser-in-the-browser (BitB) attacks that display fake browser popups mimicking legitimate login pages. URL obfuscation techniques include using the @ symbol (http://[email protected] routes to malicious.com), integer- or hex-encoded hostnames, and URL shorteners to bypass static block lists. Groups including APT28, Kimsuky, Sidewinder, Scattered Spider, Silent Librarian, and Sandworm Team are known to use this technique extensively for credential harvesting before initial access.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1598 Phishing for Information
- Sub-technique
- T1598.003 Spearphishing Link
- Canonical reference
- https://attack.mitre.org/techniques/T1598/003/
KQL Detection Query
let SuspiciousUrlKeywords = dynamic([
"login", "signin", "secure", "verify", "account", "update",
"portal", "password", "credential", "auth", "oauth", "sso",
"microsoft", "office365", "outlook", "sharepoint", "onedrive",
"google", "dropbox", "docusign", "adobe", "zoom"
]);
let UrlShorteners = dynamic([
"bit.ly", "tinyurl.com", "t.co", "ow.ly", "goo.gl", "short.io",
"tiny.cc", "is.gd", "buff.ly", "rebrand.ly", "cutt.ly"
]);
// Detect suspicious URL clicks from emails — potential credential harvesting or spearphishing
UrlClickEvents
| where Timestamp > ago(24h)
| where ActionType in ("ClickAllowed", "ClickBlocked")
| extend IsUrlShortener = UrlDomain has_any (UrlShorteners)
| extend HasCredentialKeyword = Url has_any (SuspiciousUrlKeywords)
| extend IsIPBasedUrl = UrlDomain matches regex @"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"
| extend IsObfuscatedUrl = Url contains "@" and (Url startswith "http://" or Url startswith "https://")
| extend IsHexOrIntegerHost = UrlDomain matches regex @"^0[xX][0-9a-fA-F]+$|^\d{8,10}$"
| extend SuspicionScore = toint(IsUrlShortener) + toint(HasCredentialKeyword) + toint(IsIPBasedUrl) + toint(IsObfuscatedUrl) + toint(IsHexOrIntegerHost)
| where SuspicionScore >= 1 or ActionType == "ClickBlocked"
| join kind=leftouter (
EmailEvents
| where Timestamp > ago(24h)
| project NetworkMessageId, SenderFromAddress, SenderMailFromDomain, Subject, EmailDirection
) on NetworkMessageId
| project Timestamp, AccountUpn, SenderFromAddress, SenderMailFromDomain, Subject, Url, UrlDomain,
ActionType, IsUrlShortener, HasCredentialKeyword, IsIPBasedUrl, IsObfuscatedUrl,
IsHexOrIntegerHost, SuspicionScore
| sort by Timestamp descDetects suspicious URL clicks originating from email using Microsoft 365 Defender UrlClickEvents and EmailEvents tables (available in Microsoft Sentinel via the M365 Defender connector). Identifies potential credential harvesting links by analyzing URL characteristics: use of URL shorteners to bypass static block lists, credential-related keywords in URL paths, IP-based URLs to evade domain reputation systems, URL obfuscation using the @ symbol (where everything before @ is discarded and traffic routes to the domain after @), and hex- or integer-encoded hostnames. Joins with EmailEvents to retrieve sender and subject context. Also surfaces any URL blocked by Microsoft Defender Safe Links regardless of score.
Data Sources
Required Tables
False Positives & Tuning
- Marketing emails from legitimate vendors using URL shorteners (bit.ly, ow.ly) and click-tracking redirectors for engagement analytics
- Internal security awareness training phishing simulations from platforms such as KnowBe4, Proofpoint Security Awareness Training, or Cofense
- Legitimate SaaS vendor password reset or onboarding emails containing 'login', 'verify', or 'account' keywords in URLs
- Corporate newsletter or HR communication services using URL redirection for open and click tracking
- Automated IT system notifications (Azure AD access reviews, Okta account alerts) containing authentication-related URL keywords
Other platforms for T1598.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Phishing Link Click Simulation via Web Request
Expected signal: Network logs: HTTP GET to /login path with URL query parameters matching phishing patterns ('token=', 'verify', 'source=email'). HTTP POST to same domain within seconds containing credential form fields. Web proxy (stream:http, CommonSecurityLog, Zscaler NSS) logs both requests. Endpoint DNS cache (ipconfig /displaydns) shows resolution of the phishing domain. If HTTPS inspection is enabled on the proxy, POST body contents are captured.
- Test 2Spearphishing Email with Tracking Pixel — SMTP Delivery Test
Expected signal: SMTP server logs: email from '[email protected]' (lookalike domain). Email HTML body contains: (1) hyperlink to 'login.microsoft-accounts.info' with uid parameter, (2) 1x1 img tag pointing to 'track.microsoft-accounts.info' with recipient-unique uid and timestamp. In Microsoft 365, Defender for Office 365 would process the email and add the URLs to UrlClickEvents when pre-fetched by Safe Links. The X-Mailer spoofing 'Microsoft Outlook' is an additional header anomaly.
- Test 3URL Obfuscation via @ Symbol — Redirect Demonstration
Expected signal: Web proxy / NGFW logs: HTTP GET request with URL containing '@' character in the authority component (pattern: http://legit-looking-text@<actual-destination>). The destination IP (127.0.0.1 in test; attacker IP in production) differs from the domain text before @. DNS resolution logs show NO query for 'accounts.google.com' because the browser uses the IP after @. Integer-encoded hostname test generates a connection to a 10-digit number as the host field in proxy logs — no FQDN resolution.
- Test 4QR Code Phishing (Quishing) URL Generation — Endpoint Detection Test
Expected signal: Endpoint DNS logs: query for 'login.microsoftonline-secure.com' (lookalike domain) from the user's device when the QR code is scanned. Web proxy logs: HTTP GET to the domain with the path '/verify' and credential-related query parameters ('session=MFA-required', 'user='). Since the URL reaches the endpoint only after QR scan (not via email text), Microsoft Defender Safe Links will NOT pre-scan it — the DNS query and proxy GET are the first detection opportunities. Mobile device management (MDM) DNS logs or mobile threat defense (MTD) solutions would capture the domain query from the scanning device.
References (12)
- https://attack.mitre.org/techniques/T1598/003/
- https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html
- https://mrd0x.com/browser-in-the-browser-phishing-attack/
- https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse
- https://csrc.nist.gov/glossary/term/web_bug
- https://en.ryte.com/wiki/Tracking_Pixel/
- https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-human-factor-report.pdf
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1598.003/T1598.003.md
- https://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials
Unlock Pro Content
Get the full detection package for T1598.003 including response playbook, investigation guide, and atomic red team tests.