Correlation of inbound emails with embedded links followed by user-driven browser navigation to suspicious or obfuscated domains. Detection chain includes malicious URL in email → user click recorded in Office logs → browser process spawning unusual child processes (e.g., PowerShell, cmd) or download activity.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | m365:unified | Send/Receive: Inbound emails containing embedded or shortened URLs |
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| SuspiciousTLDs | List of monitored top-level domains commonly abused in phishing (e.g., .xyz, .top, .tk). |
| URLShortenerDomains | Domains like bit.ly, tinyurl.com flagged for deeper expansion/inspection. |
| ClickToExecutionWindow | Time threshold between URL click and suspicious process execution. |
Detection of spearphishing links through mail logs and browser activity. Behavior includes email with suspicious URLs → user click recorded in mail/web proxy logs → shell or interpreter launched from browser process.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | Application:Mail | Inbound emails containing hyperlinks from suspicious sources |
| Process Creation (DC0032) | auditd:SYSCALL | execve: Execution of scripts or binaries spawned from browser processes |
| Network Traffic Flow (DC0078) | NSM:Flow | Outbound requests to domains not previously resolved or associated with phishing campaigns |
| Field | Description |
|---|---|
| MonitoredBrowsers | List of browser processes to monitor (e.g., firefox, chrome, chromium). |
| PhishingIndicators | Custom regex patterns for detecting obfuscated or IDN homograph URLs. |
Correlation of Mail.app logs with Safari/Chrome activity. Suspicious behavior includes email links → Safari/Chrome accessing newly registered or lookalike domains → osascript or Terminal spawned unexpectedly.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | macos:unifiedlog | Received messages with embedded or shortened URLs |
| Process Creation (DC0032) | macos:unifiedlog | Browser processes launching unexpected interpreters (osascript, bash) |
| Network Traffic Content (DC0085) | macos:unifiedlog | Connections to suspicious domains with mismatched certificate or unusual patterns |
| Field | Description |
|---|---|
| CertificateAnomalies | Flag self-signed or mismatched TLS certificates from spearphishing domains. |
| ExecutionDelayThreshold | Suspicious delay between URL click and malicious process spawn. |
Detection of OAuth consent phishing or malicious login attempts initiated through spearphishing links. Behavior chain includes inbound email with OAuth URL → consent page visited → unusual token grants logged in IdP logs.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | azure:signinLogs | ConsentGrant: Suspicious consent grants to non-approved or unknown applications |
| Field | Description |
|---|---|
| AllowedApps | Whitelisted apps permitted for OAuth consent grants. |
| AnomalousConsentPatterns | Patterns of consent from unusual geographies, devices, or unapproved applications. |