title: Internal Spearphishing (T1534)
id: df00tech-t1534
status: experimental
description: "Adversaries who have already compromised an account or system may abuse the trusted internal identity to send phishing messages to other users within the same organization. Because the message originates from a known colleague, recipients are far more likely to open attachments, click links, or provide credentials. Campaigns typically combine a compromised mailbox or chat account with a weaponized attachment, a credential-harvesting link, or a malicious macro-enabled document. Real-world actors include Gamaredon (Outlook VBA module auto-sending phishing to contacts), Kimsuky (stolen credentials reused for internal mail), Leviathan/APT40, and HEXANE. Detection surfaces include anomalous send volume or recipient patterns from an internal account, Outlook spawning suspicious child processes (macro execution), Microsoft Teams delivering external URLs or files, and mass-BCC or reply-all abuse patterns."
references:
  - https://attack.mitre.org/techniques/T1534/
  - https://df00tech.com/detections/T1534
author: df00tech
date: 2026/04/20
tags:
  - attack.t1534
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate marketing or HR mass-email campaigns using a shared internal account that sends newsletters or announcements to all staff
  - "Automated IT notification systems (monitoring alerts, ticketing systems, patch notifications) sending bulk emails from a service account"
  - Outlook VBA macros used by finance or legal teams for legitimate templated document workflows spawning cmd.exe or wscript.exe
  - IT administrators sending automated onboarding emails via PowerShell scripts authenticated as their own account
  - "Microsoft Teams bots or connectors posting messages with external links as part of approved integrations (e.g., GitHub notifications, JIRA updates)"
level: high