title: Spearphishing Service (T1598.001)
id: df00tech-t1598-001
status: experimental
description: "Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. This includes messages sent through social media platforms (LinkedIn, Twitter, Facebook, WhatsApp), personal webmail, and other non-enterprise controlled services. Adversaries create fake personas — often posing as recruiters, colleagues, or vendors — to build rapport with targets and extract credentials, security configurations, VPN details, or other actionable intelligence. Because these messages transit third-party platforms outside the victim's network perimeter, they generate no traditional endpoint or network telemetry on the victim side. Detection must focus on downstream indicators: post-harvest sign-in anomalies, inbox rule changes, MFA modifications, and OAuth consent grants."
references:
  - https://attack.mitre.org/techniques/T1598/001/
  - https://df00tech.com/detections/T1598.001
author: df00tech
date: 2026/03/13
tags:
  - attack.t1598.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Employees logging in from personal devices, travel locations, or via commercial VPNs generating high-risk sign-in events in Azure AD Identity Protection"
  - Legitimate inbox forwarding rules created by users to route work email to personal accounts in BYOD environments where this is policy-permitted
  - "IT helpdesk-initiated MFA resets during support tickets generating security info change audit events under the user's context"
  - Corporate travel to new countries generating impossible-travel and new-ASN risk detections with no malicious activity
  - Automated SOAR playbooks or onboarding workflows that modify MFA settings and create inbox rules as part of approved provisioning processes
level: medium