T1656 IBM QRadar · QRadar

Detect Impersonation in IBM QRadar

This detection identifies adversary impersonation activity targeting organizational users through email-based business email compromise (BEC), help desk social engineering, and lookalike sender patterns. The detection focuses on emails with authentication failures (SPF/DKIM/DMARC) combined with high-urgency subject language, display name spoofing where sender display names match internal user identities but originate from external domains, and abnormal SendAs or SendOnBehalf delegation activity. Coverage extends to AAD sign-in anomalies that may indicate successful credential theft following impersonation-based help desk attacks, as seen in LAPSUS$ and Storm-1811 campaigns.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1656 Impersonation
Canonical reference
https://attack.mitre.org/techniques/T1656/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS SenderAddress,
    "RecipientAddress" AS RecipientAddress,
    "Subject" AS EmailSubject,
    CASE
        WHEN "SPFResult" = 'fail' AND "DKIMResult" = 'fail' THEN 90
        WHEN "DMARCResult" = 'fail' THEN 80
        WHEN "SPFResult" ILIKE '%fail%' THEN 65
        ELSE 50
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Exchange', 'Office 365')
    AND ("SPFResult" ILIKE '%fail%'
        OR "DKIMResult" ILIKE '%fail%'
        OR "DMARCResult" ILIKE '%fail%')
    AND RiskScore >= 65
ORDER BY EventTime DESC
LAST 1 HOURS
high severity medium confidence

IBM QRadar AQL detection for Impersonation (T1656). Queries QRadar event pipeline for indicators consistent with impersonation adversary techniques using MITRE ATT&CK-aligned event categorization.

Data Sources

IBM QRadar SIEMWindows Security EventsEndpoint Agent

Required Tables

events

False Positives & Tuning

  • Legitimate third-party email service providers (Mailchimp, Salesforce, HubSpot) frequently fail DMARC when not properly configured in the sending domain's DNS, generating high-urgency transactional emails (payment confirmations, invoice delivery)
  • Executive assistants or shared mailbox operators legitimately using SendAs or SendOnBehalf delegation on behalf of their principals will trigger the delegation abuse branch — validate by checking O365 delegation configuration in Exchange
  • Vendors or contractors whose display names match internal employees with the same name (common surnames) will trigger DisplayNameSpoof detection — correlate with known vendor contact lists and verify recipient context
Download portable Sigma rule (.yml)

Other platforms for T1656

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1BEC Email Simulation via PowerShell SMTP with Spoofed Display Name

    Expected signal: EmailEvents table: record with SenderDisplayName='John Smith (CEO)', SenderFromAddress='[email protected]', AuthenticationDetails showing dmarc=fail or spf=fail, Subject containing 'URGENT' and 'Wire Transfer'

  2. Test 2Mailbox Delegation Abuse Simulation via Exchange Online PowerShell

    Expected signal: OfficeActivity: Add-RecipientPermission event (Operation=Add-MailboxPermission) followed by SendAs operation where UserId=attacker-test-account and MailboxOwnerUPN=finance-director-test. AADAuditLogs: 'Update user' or 'Add member to role' if escalation attempted.

  3. Test 3Inbox Forwarding Rule Creation Simulating Post-Compromise Email Persistence

    Expected signal: OfficeActivity: New-InboxRule operation for compromised-user-test mailbox with Parameters containing [email protected]. Event logged within 60 seconds of rule creation.

Last updated: 2026-03-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1656 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1566PhishingT1598Phishing for InformationT1534Internal SpearphishingT1586Compromise AccountsT1589Gather Victim Identity InformationT1591Gather Victim Org InformationT1583.001DomainsT1657Financial Theft

Same Tactic: Defense Evasion

Popular Detections