title: Phishing for Information (T1598)
id: df00tech-t1598
status: experimental
description: "Detects adversary phishing-for-information campaigns targeting employees via email, spearphishing, and social engineering to harvest credentials, one-time passwords, and sensitive organizational data. Detection operates across three layers: (1) inbound email analysis identifying spoofed senders (From/MailFrom domain mismatch), credential-harvesting subject line keywords, and URLs pointing to non-trusted domains; (2) URL click telemetry correlating users navigating to phishing infrastructure after suspicious email delivery; and (3) post-phishing authentication anomalies such as sign-ins from new geographies within minutes of a suspicious email click. This technique is actively used by Scattered Spider for MFA/OTP capture, APT28 for credential collection against campaign targets, and Kimsuky for intelligence gathering against research institutions."
references:
  - https://attack.mitre.org/techniques/T1598/
  - https://df00tech.com/detections/T1598
author: df00tech
date: 2026/03/20
tags:
  - attack.t1598
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Security awareness training platforms (KnowBe4, Proofpoint Security Awareness Training) sending simulated phishing emails with intentional urgency language — add their sending domains to an exclusion list"
  - "Legitimate password reset and account verification emails from external SaaS vendors (Okta, Salesforce, ServiceNow) that use 'verify your account' or 'urgent action' language — add known-good vendor domains to TrustedDomains"
  - "Marketing automation platforms (Mailchimp, HubSpot, Marketo) using display-name spoofing where MailFrom belongs to the ESP but From shows the client company brand — causing SpoofedSender false positives"
  - "Bulk email systems with legitimate SPF misalignment for delivery routing purposes, where the technical envelope sender differs from the brand display From address"
level: high