Skip to content

DET0286 Detection Strategy for Impersonation

Item Value
ID DET0286
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1656 (Impersonation)

Analytics

Windows

AN0792

Monitor for anomalous email activity originating from Windows-hosted applications (e.g., Outlook) where the sending account name or display name does not match the underlying SMTP address. Detect abnormal volume of outbound messages containing sensitive keywords (e.g., ‘payment’, ‘wire transfer’) or anomalous login locations for accounts associated with email sending activity.

Log Sources
Data Component Name Channel
Logon Session Creation (DC0067) WinEventLog:Security EventCode=4624, 4648
Application Log Content (DC0038) m365:unified SendOnBehalf/SendAs: Emails sent where the sending identity mismatches account ownership
Mutable Elements
Field Description
KeywordList Adjust impersonation detection keywords based on local business risk terms (e.g., ‘ACH’, ‘Invoice’).
GeoLocationBaseline Define trusted geographic regions for normal user email activity.

Linux

AN0793

Monitor mail server logs (Postfix, Sendmail, Exim) for anomalous From headers mismatching authenticated SMTP identities. Detect abnormal relay attempts, spoofed envelope-from values, or large-scale outbound campaigns targeting internal users.

Log Sources
Data Component Name Channel
Command Execution (DC0064) auditd:SYSCALL execve: Processes executing sendmail/postfix with forged headers
Application Log Content (DC0038) Application:Mail Mismatch between authenticated username and From header in email
Mutable Elements
Field Description
KnownRelayHosts Filter trusted relays or automated notification systems from impersonation alerts.

macOS

AN0794

Monitor Mail.app activity or unified logs for anomalous SMTP usage, including mismatches between display name and authenticated AppleID or Exchange credentials. Detect use of third-party mail utilities that attempt to send on behalf of corporate identities.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) macos:unifiedlog Mail.app or third-party clients sending messages with mismatched From headers
Mutable Elements
Field Description
TrustedMailClients Allowlist known third-party clients used for legitimate email activity.

SaaS

AN0795

Monitor SaaS mail platforms (Google Workspace, M365, Okta-integrated apps) for SendAs/SendOnBehalfOf operations where the delegated permissions are unusual or newly granted. Detect impersonation attempts where adversaries configure rules to auto-forward or auto-reply with impersonated content.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) gcp:workspaceaudit SendAs: Outbound messages with alias identities that differ from primary account
Mutable Elements
Field Description
DelegationBaseline Maintain baseline of normal SendAs/SendOnBehalf relationships to reduce false positives.

Office Suite

AN0796

Monitor Office Suite applications (Outlook, Word mail merge, Excel macros) for abnormal automated message sending, especially when macros or scripts trigger email delivery. Detect patterns of impersonation language (urgent, payment, executive request) combined with anomalous execution of Office macros.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) m365:unified SendOnBehalf/SendAs: Office Suite initiated messages using impersonated identities
Mutable Elements
Field Description
MacroExecutionThreshold Threshold for correlating macro execution with email sending activity.