Detect Phishing for Information in Microsoft Sentinel
Detects adversary phishing-for-information campaigns targeting employees via email, spearphishing, and social engineering to harvest credentials, one-time passwords, and sensitive organizational data. Detection operates across three layers: (1) inbound email analysis identifying spoofed senders (From/MailFrom domain mismatch), credential-harvesting subject line keywords, and URLs pointing to non-trusted domains; (2) URL click telemetry correlating users navigating to phishing infrastructure after suspicious email delivery; and (3) post-phishing authentication anomalies such as sign-ins from new geographies within minutes of a suspicious email click. This technique is actively used by Scattered Spider for MFA/OTP capture, APT28 for credential collection against campaign targets, and Kimsuky for intelligence gathering against research institutions.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1598 Phishing for Information
- Canonical reference
- https://attack.mitre.org/techniques/T1598/
KQL Detection Query
let PhishingKeywords = dynamic(["verify your account", "confirm your identity", "urgent action required", "account suspended", "click to verify", "validate credentials", "one-time password", "account will be locked", "update your information", "security notification", "unusual sign-in", "confirm your credentials"]);
let TrustedDomains = dynamic(["microsoft.com", "office.com", "office365.com", "microsoftonline.com", "google.com", "amazon.com", "github.com", "okta.com", "salesforce.com"]);
EmailEvents
| where TimeGenerated > ago(1d)
| where DeliveryAction !in ("Blocked")
| where EmailDirection == "Inbound"
| extend SpoofedSender = (SenderFromDomain != SenderMailFromDomain and isnotempty(SenderMailFromDomain))
| extend SuspiciousSubject = (Subject has_any (PhishingKeywords))
| join kind=leftouter (
EmailUrlInfo
| where TimeGenerated > ago(1d)
| where isnotempty(UrlDomain)
| where UrlDomain !has_any (TrustedDomains)
| summarize SuspiciousUrls = make_set(Url, 5), SuspiciousUrlDomains = make_set(UrlDomain, 5) by NetworkMessageId
) on NetworkMessageId
| where SpoofedSender or SuspiciousSubject or isnotempty(SuspiciousUrls)
| extend RiskScore = toint(SpoofedSender) * 50 + toint(SuspiciousSubject) * 30 + iff(isnotempty(SuspiciousUrls), 20, 0)
| where RiskScore >= 30
| project TimeGenerated, RecipientEmailAddress, SenderFromAddress, SenderMailFromAddress, Subject, DeliveryAction, NetworkMessageId, SpoofedSender, SuspiciousSubject, SuspiciousUrls, SuspiciousUrlDomains, RiskScore
| order by RiskScore desc, TimeGenerated descDetects inbound emails exhibiting phishing-for-information characteristics: spoofed sender addresses (From domain differs from MailFrom domain indicating SPF alignment failures or display-name spoofing), subject lines containing credential harvesting or social engineering keywords, and URLs pointing to domains not in the trusted baseline. Requires Microsoft Defender for Office 365 Plan 2 with Advanced Hunting enabled in the Microsoft 365 Defender portal.
Data Sources
Required Tables
False Positives & Tuning
- Security awareness training platforms (KnowBe4, Proofpoint Security Awareness Training) sending simulated phishing emails with intentional urgency language — add their sending domains to an exclusion list
- Legitimate password reset and account verification emails from external SaaS vendors (Okta, Salesforce, ServiceNow) that use 'verify your account' or 'urgent action' language — add known-good vendor domains to TrustedDomains
- Marketing automation platforms (Mailchimp, HubSpot, Marketo) using display-name spoofing where MailFrom belongs to the ESP but From shows the client company brand — causing SpoofedSender false positives
- Bulk email systems with legitimate SPF misalignment for delivery routing purposes, where the technical envelope sender differs from the brand display From address
Other platforms for T1598
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1GoPhish Credential Harvesting Campaign Simulation
Expected signal: EmailEvents alert on phishing keywords in test email subjects; UrlClickEvents showing recipient navigated to GoPhish landing page URL; HTTP POST to GoPhish listener captured in web proxy logs; AADSignInLogs showing no anomalous auth (validates that controls blocked credential use)
- Test 2Evilginx2 Adversary-in-the-Middle Phishing Proxy Setup
Expected signal: Network flow logs showing HTTPS connection to proxy infrastructure with non-organizational certificate; DeviceNetworkEvents showing browser connection to AiTM domain; AADSignInLogs showing token replay from attacker IP shortly after legitimate user authentication
- Test 3Spearphishing Voice (Vishing) Pretext Simulation with Callback Detection
Expected signal: User report submitted to security team via phishing report button or SIEM ingestion of helpdesk ticket; if conducted via licensed vishing simulation platform (e.g., Proofpoint Vishing Simulator), campaign results exported to SIEM; telephony logs showing inbound calls from spoofed caller IDs
References (7)
- https://attack.mitre.org/techniques/T1598/
- https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/
- https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-technique/
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-threat-hunting
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table
- https://github.com/gophish/gophish
- https://github.com/kgretzky/evilginx2
Unlock Pro Content
Get the full detection package for T1598 including response playbook, investigation guide, and atomic red team tests.