Threat actor Phosphorus is using compromised email accounts of conference organizers to send phishing emails with malicious attachments, leveraging social engineering to compromise attendees. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate Phosphorus campaign activity early, preventing potential data exfiltration and lateral movement.
KQL Query
//Filter for emails that were delivered and check if there was any action taken on them post delivery, by joining with EmailPostDeliveryEvents
let MaliciousSenders = dynamic(["[email protected]", "[email protected]", "[email protected]", "[email protected]",
"[email protected]", "[email protected]"]);
EmailEvents
| where SenderFromAddress in~ (MaliciousSenders) and DeliveryAction == "Delivered"
| join EmailPostDeliveryEvents on NetworkMessageId, RecipientEmailAddress
id: ffdd9edf-3959-415f-bac2-7e108bc1f70d
name: Threat actor Phosphorus masquerading as conference organizers (2)
description: |
Identify prior activity from this campaign using IOCs shared by Microsoft's Threat Intelligence Center, or MSTIC.
Read more: https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailPostDeliveryEvents
- EmailEvents
tactics:
- Initial access
query: |
//Filter for emails that were delivered and check if there was any action taken on them post delivery, by joining with EmailPostDeliveryEvents
let MaliciousSenders = dynamic(["[email protected]", "[email protected]", "[email protected]", "[email protected]",
"[email protected]", "[email protected]"]);
EmailEvents
| where SenderFromAddress in~ (MaliciousSenders) and DeliveryAction == "Delivered"
| join EmailPostDeliveryEvents on NetworkMessageId, RecipientEmailAddress
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for conference registration system
Description: A scheduled job runs daily to process conference registrations using a legitimate script or tool like PowerShell or Python scripts.
Filter/Exclusion: Exclude processes related to registration_script.py or Register-Conference.ps1 running from a known internal server or directory.
Scenario: System administrator using Mimikatz for credential harvesting during routine maintenance
Description: An admin uses Mimikatz to extract credentials from memory during a scheduled maintenance task to audit or update a conference management system.
Filter/Exclusion: Exclude processes initiated by admin accounts with elevated privileges and running from known administrative tools like Mimikatz during scheduled maintenance windows.
Scenario: Legitimate use of PowerShell for automated email sending (e.g., for event reminders)
Description: A PowerShell script is used to send automated email reminders for upcoming conference events.
Filter/Exclusion: Exclude processes with the Send-MailMessage cmdlet executed from a known internal script repository or by a trusted email service account.
Scenario: Regular system update or patching task using SCCM or WSUS
Description: A system update task initiated by SCCM or WSUS is falsely flagged due to similar IOCs used by the Phosphorus campaign.
Filter/Exclusion: Exclude processes initiated by the SCCM or WSUS service accounts and associated with known update packages or patching tasks.
Scenario: Internal security team testing with a red team tool
Description: The internal security team uses a red team tool like Cobalt Strike or Empire to simulate an attack and test defenses, which may trigger the same IOCs.
Filter/Exclusion: Exclude processes initiated by known security team members or from a designated test environment with specific IP ranges or user accounts.