T1656 Splunk · SPL

Detect Impersonation in Splunk

This detection identifies adversary impersonation activity targeting organizational users through email-based business email compromise (BEC), help desk social engineering, and lookalike sender patterns. The detection focuses on emails with authentication failures (SPF/DKIM/DMARC) combined with high-urgency subject language, display name spoofing where sender display names match internal user identities but originate from external domains, and abnormal SendAs or SendOnBehalf delegation activity. Coverage extends to AAD sign-in anomalies that may indicate successful credential theft following impersonation-based help desk attacks, as seen in LAPSUS$ and Storm-1811 campaigns.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1656 Impersonation
Canonical reference
https://attack.mitre.org/techniques/T1656/

SPL Detection Query

Splunk (SPL)
spl 
index=* (sourcetype="o365:management:activity" OR sourcetype="ms:o365:management")
| eval op=coalesce(Operation, operation)
| eval user=coalesce(UserId, user_id)
| eval client_ip=coalesce(ClientIP, client_ip)
| eval subject=coalesce(Subject, "")
| eval sender=coalesce(SenderAddress, FromAddress, user)
| eval recipient=coalesce(RecipientAddress, ToAddress, "")
| eval auth_result=coalesce(AuthenticationDetails, SpfVerdict, DkimVerdict, DmarcVerdict, "")
[
  search (op="MessageSent" OR op="Send" OR op="SendAs" OR op="SendOnBehalf")
  | return 100000 op user client_ip subject sender recipient auth_result
]
| eval urgency_hit=if(match(lower(subject), "(urgent|wire.?transfer|payment|invoice|request|verify|immediate|overdue|final.?notice|password.?reset|account.?update)"), 1, 0)
| eval auth_fail=if(match(lower(auth_result), "(spf=fail|dkim=fail|dmarc=fail|softfail|fail)"), 1, 0)
| eval delegation_abuse=if(op IN ("SendAs", "SendOnBehalf") AND user!=sender, 1, 0)
| where urgency_hit=1 OR auth_fail=1 OR delegation_abuse=1
| eval detection_type=case(
    delegation_abuse=1, "SuspiciousDelegation",
    auth_fail=1 AND urgency_hit=1, "AuthFailWithUrgency",
    auth_fail=1, "AuthFailure",
    urgency_hit=1, "UrgencyKeyword",
    true(), "Unknown"
  )
| eval risk_score=if(auth_fail=1, 50, 0) + if(urgency_hit=1, 30, 0) + if(delegation_abuse=1, 70, 0)
| where risk_score >= 50
| table _time, detection_type, risk_score, user, sender, recipient, subject, client_ip, auth_result, op
| sort -risk_score, -_time
high severity medium confidence

Detects impersonation activity in Office 365 management activity logs by scoring events across three risk dimensions: email authentication failures (SPF/DKIM/DMARC), urgency keyword presence in email subjects associated with BEC fraud patterns, and delegation abuse where SendAs or SendOnBehalf operations are performed by identities different from the mailbox owner. Events scoring 50+ risk points are surfaced as alerts.

Data Sources

Microsoft 365 / Office 365 Management ActivityMicrosoft Defender for Office 365

Required Sourcetypes

o365:management:activityms:o365:management

False Positives & Tuning

  • Marketing automation platforms (Marketo, HubSpot, Pardot) sending on behalf of sales reps via SendOnBehalf delegation legitimately fail certain auth checks — verify by correlating sender domain against known marketing vendor IP ranges
  • Automated billing and finance systems that send invoices and payment reminders with urgency language will match the keyword filter — build a suppression list of known finance system service accounts
  • IT helpdesk ticketing systems (ServiceNow, Zendesk) that use SendAs to reply from team mailboxes will trigger delegation detection — validate against known IT service account UPNs
Download portable Sigma rule (.yml)

Other platforms for T1656

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1BEC Email Simulation via PowerShell SMTP with Spoofed Display Name

    Expected signal: EmailEvents table: record with SenderDisplayName='John Smith (CEO)', SenderFromAddress='[email protected]', AuthenticationDetails showing dmarc=fail or spf=fail, Subject containing 'URGENT' and 'Wire Transfer'

  2. Test 2Mailbox Delegation Abuse Simulation via Exchange Online PowerShell

    Expected signal: OfficeActivity: Add-RecipientPermission event (Operation=Add-MailboxPermission) followed by SendAs operation where UserId=attacker-test-account and MailboxOwnerUPN=finance-director-test. AADAuditLogs: 'Update user' or 'Add member to role' if escalation attempted.

  3. Test 3Inbox Forwarding Rule Creation Simulating Post-Compromise Email Persistence

    Expected signal: OfficeActivity: New-InboxRule operation for compromised-user-test mailbox with Parameters containing [email protected]. Event logged within 60 seconds of rule creation.

Last updated: 2026-03-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1656 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1566PhishingT1598Phishing for InformationT1534Internal SpearphishingT1586Compromise AccountsT1589Gather Victim Identity InformationT1591Gather Victim Org InformationT1583.001DomainsT1657Financial Theft

Same Tactic: Defense Evasion

Popular Detections