Detect Spearphishing Link in Splunk
Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. The malicious emails contain links to clone login portals, credential harvesting sites, or adversary-in-the-middle (AiTM) proxy infrastructure such as EvilProxy and Evilginx2. Attackers may also use QR codes (quishing) to bypass email URL scanners, embed tracking pixels and web beacons to verify email delivery and profile victims (IP address, email client, OS), or conduct browser-in-the-browser (BitB) attacks that display fake browser popups mimicking legitimate login pages. URL obfuscation techniques include using the @ symbol (http://[email protected] routes to malicious.com), integer- or hex-encoded hostnames, and URL shorteners to bypass static block lists. Groups including APT28, Kimsuky, Sidewinder, Scattered Spider, Silent Librarian, and Sandworm Team are known to use this technique extensively for credential harvesting before initial access.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1598 Phishing for Information
- Sub-technique
- T1598.003 Spearphishing Link
- Canonical reference
- https://attack.mitre.org/techniques/T1598/003/
SPL Detection Query
index=o365 sourcetype="o365:management:activity" Workload=Exchange
(Operation="SafeLinksAction" OR Operation="UrlScanResult" OR Operation="TIUrlReputationCheck")
| eval url=coalesce(Url, Urls)
| eval recipient=coalesce(UserId, RecipientAddress)
| eval action=coalesce(Action, Verdict, ThreatStatus)
| where isnotnull(url) AND len(url) > 10
| rex field=url "^https?://(?P<domain>[^/?#]+)"
| eval is_url_shortener=if(match(domain, "(?i)(bit\.ly|tinyurl\.com|t\.co|ow\.ly|goo\.gl|short\.io|tiny\.cc|is\.gd|cutt\.ly|rebrand\.ly)"), 1, 0)
| eval has_cred_keyword=if(match(lower(url), "(login|signin|verify|credential|password|account|secure|auth|oauth|sso|microsoft|office365|outlook|sharepoint|dropbox|docusign|adobe|zoom)"), 1, 0)
| eval is_ip_url=if(match(domain, "^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}$"), 1, 0)
| eval is_obfuscated=if(match(url, "https?://[^@]+@"), 1, 0)
| eval is_hex_host=if(match(domain, "^0[xX][0-9a-fA-F]+$|^\\d{8,10}$"), 1, 0)
| eval suspicion_score=is_url_shortener + has_cred_keyword + is_ip_url + is_obfuscated + is_hex_host
| where suspicion_score >= 1 OR match(lower(coalesce(action,"")), "(block|phish|malicious|warn)")
| table _time, recipient, url, domain, action, is_url_shortener, has_cred_keyword, is_ip_url, is_obfuscated, suspicion_score
| sort - _timeDetects suspicious email URL activity using Microsoft Office 365 Management Activity API logs via the Splunk Add-on for Microsoft Office 365 (sourcetype o365:management:activity). Analyzes Safe Links events (SafeLinksAction, UrlScanResult) for URLs matching credential harvesting patterns: URL shorteners, credential-related keywords, IP-based URLs, and URL obfuscation via the @ symbol. Extracts the destination domain using rex for accurate domain-level analysis. Also surfaces any URL where Safe Links issued a block, phishing, or warning verdict regardless of the pattern score.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Marketing emails from legitimate vendors using URL shorteners and click-tracking redirectors for engagement analytics
- Security awareness training phishing simulations (KnowBe4, Proofpoint Security Awareness, Cofense) using internal or external domains
- Legitimate password reset emails from SaaS platforms triggering credential-related keyword matches in URL paths
- Corporate newsletter or HR communication services with URL redirection for open and click tracking
- Automated vendor onboarding emails with SSO or OAuth links matching authentication keyword patterns
Other platforms for T1598.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Phishing Link Click Simulation via Web Request
Expected signal: Network logs: HTTP GET to /login path with URL query parameters matching phishing patterns ('token=', 'verify', 'source=email'). HTTP POST to same domain within seconds containing credential form fields. Web proxy (stream:http, CommonSecurityLog, Zscaler NSS) logs both requests. Endpoint DNS cache (ipconfig /displaydns) shows resolution of the phishing domain. If HTTPS inspection is enabled on the proxy, POST body contents are captured.
- Test 2Spearphishing Email with Tracking Pixel — SMTP Delivery Test
Expected signal: SMTP server logs: email from '[email protected]' (lookalike domain). Email HTML body contains: (1) hyperlink to 'login.microsoft-accounts.info' with uid parameter, (2) 1x1 img tag pointing to 'track.microsoft-accounts.info' with recipient-unique uid and timestamp. In Microsoft 365, Defender for Office 365 would process the email and add the URLs to UrlClickEvents when pre-fetched by Safe Links. The X-Mailer spoofing 'Microsoft Outlook' is an additional header anomaly.
- Test 3URL Obfuscation via @ Symbol — Redirect Demonstration
Expected signal: Web proxy / NGFW logs: HTTP GET request with URL containing '@' character in the authority component (pattern: http://legit-looking-text@<actual-destination>). The destination IP (127.0.0.1 in test; attacker IP in production) differs from the domain text before @. DNS resolution logs show NO query for 'accounts.google.com' because the browser uses the IP after @. Integer-encoded hostname test generates a connection to a 10-digit number as the host field in proxy logs — no FQDN resolution.
- Test 4QR Code Phishing (Quishing) URL Generation — Endpoint Detection Test
Expected signal: Endpoint DNS logs: query for 'login.microsoftonline-secure.com' (lookalike domain) from the user's device when the QR code is scanned. Web proxy logs: HTTP GET to the domain with the path '/verify' and credential-related query parameters ('session=MFA-required', 'user='). Since the URL reaches the endpoint only after QR scan (not via email text), Microsoft Defender Safe Links will NOT pre-scan it — the DNS query and proxy GET are the first detection opportunities. Mobile device management (MDM) DNS logs or mobile threat defense (MTD) solutions would capture the domain query from the scanning device.
References (12)
- https://attack.mitre.org/techniques/T1598/003/
- https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html
- https://mrd0x.com/browser-in-the-browser-phishing-attack/
- https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse
- https://csrc.nist.gov/glossary/term/web_bug
- https://en.ryte.com/wiki/Tracking_Pixel/
- https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-human-factor-report.pdf
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1598.003/T1598.003.md
- https://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials
Unlock Pro Content
Get the full detection package for T1598.003 including response playbook, investigation guide, and atomic red team tests.