Skip to content

DET0054 Internal Spearphishing via Trusted Accounts

Item Value
ID DET0054
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1534 (Internal Spearphishing)

Analytics

Windows

AN0147

Sequence of internal email sent from a recently compromised user account (preceded by abnormal logon or device activity), with attachments or links leading to execution or credential harvesting. Defender observes: internal mail delivery to peers with high entropy attachments, followed by click events, process initiation, or credential prompts.

Log Sources
Data Component Name Channel
Logon Session Creation (DC0067) WinEventLog:Security EventCode=4624, 4648
User Account Authentication (DC0002) WinEventLog:Security EventCode=4625
Logon Session Metadata (DC0088) WinEventLog:Security EventCode=4672
Application Log Content (DC0038) m365:unified SendOnBehalf, MessageSend, ClickThrough, MailItemsAccessed
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
TimeWindow Expected time between internal email and link execution or file dropper
UserContext Baseline logon locations and device usage for sender accounts
AttachmentEntropyThreshold Entropy value over which attachment is considered suspicious

Linux

AN0148

Delivery of suspicious internal communication (e.g., Thunderbird, Evolution) using compromised internal accounts. Sequence of: unexpected user activity + mail transfer logs + download or execution of attachments.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Application Log Content (DC0038) Application:Mail smtpd$.$: .from=.*@internaldomain.com to=.*@internaldomain.com
Network Traffic Content (DC0085) linux:syslog curl
Mutable Elements
Field Description
SubjectLineAnomaly Deviation from typical internal email subjects
AttachmentType Executable types allowed or flagged by mail relay

macOS

AN0149

Abnormal Apple Mail use, including internal email relays followed by file execution or script events (e.g., attachments launched via Preview, terminal triggered from Mail.app)

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog com.apple.mail. exec.
Network Traffic Content (DC0085) macos:unifiedlog curl
Mutable Elements
Field Description
ExecutionChainDepth Number of child processes stemming from Mail.app
MailScriptFlag Toggle on scripting detection within mail context

SaaS

AN0150

Internal spearphishing via SaaS applications (e.g., Slack, Teams, Gmail): message sent from compromised user with attachment or URL, followed by click and credential access behavior.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) saas:slack file_upload, message_send, message_click
Mutable Elements
Field Description
UserAnomalyThreshold Volume or timing of messages sent after compromise
FileRiskScoring Whether SaaS DLP assigns risk scores to attachments

Office Suite

AN0151

Outlook or Word used to forward suspicious internal attachments with macro content. Defender observes attachment forwarding, auto-opening behaviors, or macro prompt interactions.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) m365:unified SendOnBehalf, MessageSend, AttachmentPreviewed
Command Execution (DC0064) WinEventLog:Security EventCode=4103, 4104, 4105, 4106
Mutable Elements
Field Description
MacroExecutionWindow Timing between mail open and macro invocation
AttachmentNameHeuristics Patterns of known internal spearphishing lures (e.g., invoice, HR_policy)