Detect Phishing for Information in IBM QRadar
Detects adversary phishing-for-information campaigns targeting employees via email, spearphishing, and social engineering to harvest credentials, one-time passwords, and sensitive organizational data. Detection operates across three layers: (1) inbound email analysis identifying spoofed senders (From/MailFrom domain mismatch), credential-harvesting subject line keywords, and URLs pointing to non-trusted domains; (2) URL click telemetry correlating users navigating to phishing infrastructure after suspicious email delivery; and (3) post-phishing authentication anomalies such as sign-ins from new geographies within minutes of a suspicious email click. This technique is actively used by Scattered Spider for MFA/OTP capture, APT28 for credential collection against campaign targets, and Kimsuky for intelligence gathering against research institutions.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1598 Phishing for Information
- Canonical reference
- https://attack.mitre.org/techniques/T1598/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
LOGSOURCENAME(logsourceid) AS "LogSource",
LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
"username", "sourceip", "destinationip",
"eventid", "deviceaction", "message",
CASE
WHEN LOWER("operationname") ILIKE '%new-inboxrule%' OR LOWER("operationname") ILIKE '%set-inboxrule%' AND LOWER("params") ILIKE '%forwardto%' THEN 8
ELSE 4
END AS "RiskScore"
FROM events
WHERE (LOWER("operationname") ILIKE '%new-inboxrule%' OR LOWER("operationname") ILIKE '%set-inboxrule%' AND LOWER("params") ILIKE '%forwardto%')
AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
ORDER BY "RiskScore" DESC, "EventTime" DESC
LAST 24 HOURSQRadar AQL detection for Phishing for Information (T1598). SQL-like syntax queries the QRadar events store, correlating log source telemetry with risk scoring to surface reconnaissance and attack patterns. Filters out noise from internal SIM and rule engine log sources.
Data Sources
Required Tables
False Positives & Tuning
- Security awareness training platforms (KnowBe4, Proofpoint Security Awareness Training) sending simulated phishing emails with intentional urgency language — add their sending domains to an exclusion list
- Legitimate password reset and account verification emails from external SaaS vendors (Okta, Salesforce, ServiceNow) that use 'verify your account' or 'urgent action' language — add known-good vendor domains to TrustedDomains
- Marketing automation platforms (Mailchimp, HubSpot, Marketo) using display-name spoofing where MailFrom belongs to the ESP but From shows the client company brand — causing SpoofedSender false positives
- Bulk email systems with legitimate SPF misalignment for delivery routing purposes, where the technical envelope sender differs from the brand display From address
Other platforms for T1598
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1GoPhish Credential Harvesting Campaign Simulation
Expected signal: EmailEvents alert on phishing keywords in test email subjects; UrlClickEvents showing recipient navigated to GoPhish landing page URL; HTTP POST to GoPhish listener captured in web proxy logs; AADSignInLogs showing no anomalous auth (validates that controls blocked credential use)
- Test 2Evilginx2 Adversary-in-the-Middle Phishing Proxy Setup
Expected signal: Network flow logs showing HTTPS connection to proxy infrastructure with non-organizational certificate; DeviceNetworkEvents showing browser connection to AiTM domain; AADSignInLogs showing token replay from attacker IP shortly after legitimate user authentication
- Test 3Spearphishing Voice (Vishing) Pretext Simulation with Callback Detection
Expected signal: User report submitted to security team via phishing report button or SIEM ingestion of helpdesk ticket; if conducted via licensed vishing simulation platform (e.g., Proofpoint Vishing Simulator), campaign results exported to SIEM; telephony logs showing inbound calls from spoofed caller IDs
References (7)
- https://attack.mitre.org/techniques/T1598/
- https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/
- https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-technique/
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-threat-hunting
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table
- https://github.com/gophish/gophish
- https://github.com/kgretzky/evilginx2
Unlock Pro Content
Get the full detection package for T1598 including response playbook, investigation guide, and atomic red team tests.