Detect Phishing for Information in Splunk
Detects adversary phishing-for-information campaigns targeting employees via email, spearphishing, and social engineering to harvest credentials, one-time passwords, and sensitive organizational data. Detection operates across three layers: (1) inbound email analysis identifying spoofed senders (From/MailFrom domain mismatch), credential-harvesting subject line keywords, and URLs pointing to non-trusted domains; (2) URL click telemetry correlating users navigating to phishing infrastructure after suspicious email delivery; and (3) post-phishing authentication anomalies such as sign-ins from new geographies within minutes of a suspicious email click. This technique is actively used by Scattered Spider for MFA/OTP capture, APT28 for credential collection against campaign targets, and Kimsuky for intelligence gathering against research institutions.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1598 Phishing for Information
- Canonical reference
- https://attack.mitre.org/techniques/T1598/
SPL Detection Query
index=* sourcetype="ms:o365:management:activity" Workload=Exchange
| search Operation IN ("MessageDelivered", "MessageReceived")
| rex field=_raw "\"Subject\":\"(?<EmailSubject>[^\"]+)\""
| rex field=_raw "\"SenderAddress\":\"(?<SenderAddress>[^\"]+)\""
| rex field=_raw "\"RecipientAddress\":\"(?<RecipientAddress>[^\"]+)\""
| eval SenderDomain=lower(mvindex(split(SenderAddress, "@"), 1))
| eval PhishingScore=0
| eval PhishingScore=PhishingScore + if(match(lower(EmailSubject), "verify|confirm.*identity|urgent.*action|account.*suspend|validate.*credential|one.time.password|account.*lock"), 30, 0)
| eval PhishingScore=PhishingScore + if(match(lower(EmailSubject), "security.*alert|unusual.*activity|sign.in.*attempt|password.*expir|update.*information"), 20, 0)
| eval PhishingScore=PhishingScore + if(match(lower(EmailSubject), "invoice|wire.*transfer|w-2|tax.*form|benefits.*enroll|direct.*deposit"), 25, 0)
| where PhishingScore >= 20
| stats count as MessageCount, values(EmailSubject) as Subjects, values(SenderAddress) as Senders, values(RecipientAddress) as Recipients, max(PhishingScore) as MaxScore by SenderDomain, span(_time, 1h)
| sort -MaxScore
| table _time, SenderDomain, Senders, Recipients, Subjects, MessageCount, MaxScoreDetects phishing-for-information email patterns in Office 365 management activity logs by scoring inbound messages against credential harvesting, social engineering, and business email compromise keyword patterns. High-score messages targeting multiple recipients within the same hour indicate active phishing campaigns. Requires the Splunk Add-on for Microsoft Office 365.
Data Sources
Required Sourcetypes
False Positives & Tuning
- IT security awareness training emails with intentional phishing simulation language from platforms like KnowBe4 or Cofense
- Legitimate account security notifications from identity providers (Okta, Azure AD, Google Workspace) using urgency language for MFA enrollment or password expiration
- HR and finance system notifications (payroll confirmations, benefits enrollment reminders, W-2 availability) matching BEC-themed keywords
- Automated IT ticketing system notifications using action-required language for pending approvals or access requests
Other platforms for T1598
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1GoPhish Credential Harvesting Campaign Simulation
Expected signal: EmailEvents alert on phishing keywords in test email subjects; UrlClickEvents showing recipient navigated to GoPhish landing page URL; HTTP POST to GoPhish listener captured in web proxy logs; AADSignInLogs showing no anomalous auth (validates that controls blocked credential use)
- Test 2Evilginx2 Adversary-in-the-Middle Phishing Proxy Setup
Expected signal: Network flow logs showing HTTPS connection to proxy infrastructure with non-organizational certificate; DeviceNetworkEvents showing browser connection to AiTM domain; AADSignInLogs showing token replay from attacker IP shortly after legitimate user authentication
- Test 3Spearphishing Voice (Vishing) Pretext Simulation with Callback Detection
Expected signal: User report submitted to security team via phishing report button or SIEM ingestion of helpdesk ticket; if conducted via licensed vishing simulation platform (e.g., Proofpoint Vishing Simulator), campaign results exported to SIEM; telephony logs showing inbound calls from spoofed caller IDs
References (7)
- https://attack.mitre.org/techniques/T1598/
- https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/
- https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-technique/
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-threat-hunting
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table
- https://github.com/gophish/gophish
- https://github.com/kgretzky/evilginx2
Unlock Pro Content
Get the full detection package for T1598 including response playbook, investigation guide, and atomic red team tests.