Phishing Email Compromise Detection Playbook
Introduction: The Need for Effective Phishing Email Compromise Detection Capabilities
Phishing remains one of the most prevalent and effective attack vectors used by cybercriminals to gain unauthorised access to enterprise environments. Attackers continuously refine their tactics, leveraging social engineering, credential harvesting, business email compromise (BEC), and malicious attachments or links to bypass traditional security controls. As email remains the primary communication tool for businesses, detecting phishing-based compromises is critical to preventing account takeovers, financial fraud, and data breaches.
Effective phishing email compromise detection capabilities and processes are essential to identifying and mitigating threats before they lead to widespread organisational impact. A robust detection strategy should include advanced email filtering, anomaly detection, behavioural analysis, and integration with threat intelligence feeds to recognise phishing indicators in real-time. Security solutions such as Security Email Gateways (SEGs), Endpoint Detection and Response (EDR), and Security Information and Event Management (SIEM) platforms enhance visibility into suspicious email activities, including unauthorised logins, unusual email forwarding rules, and abnormal communication patterns.
To combat phishing threats effectively, organisations must adopt a multi-layered defence approach that includes continuous monitoring, automated alerting, and user awareness training. By strengthening detection capabilities and response processes, security teams can proactively identify and neutralise phishing attacks before they escalate into full-scale security incidents, ensuring better protection for users, credentials, and sensitive business assets.
Table of Contents
Initial Detection of Phishing Activity
Identify Suspicious Emails
Detect Unusual URL Clicks
Advanced Network Traffic Analysis
Compromised Account Indicators
Multiple Login Failures
Logins from Unusual Locations
Suspicious Email Forwarding Rules
Malicious Payload Delivery
Identify Malicious Attachments
Detect Command Execution from Email Clients
Advanced Process Analysis
Threat Persistence
Unauthorised OAuth Application Approvals
Persistent Email Rules
Advanced Token Abuse Indicators
Incident Response and Containment
Isolate Compromised Accounts
Identify Indicators of Compromise (IoCs)
Incident Timeline Reconstruction
Conclusion
This playbook provides advanced KQL queries and techniques to assist in detecting and analysing phishing compromises across an enterprise. Each section includes multiple query options with detailed descriptions and expected results.
1. Initial Detection of Phishing Activity
Query Option 1: Identify Suspicious Emails
Description: Detects emails with suspicious subjects or domains commonly associated with phishing. Results include sender details and recipients.
Query Option 2: Detect Unusual URL Clicks
Description: Identifies users clicking on potentially malicious shortened URLs multiple times. Results highlight URLs and affected users.
Query Option 3: Advanced Network Traffic Analysis
Description: Flags devices connecting to suspicious login pages. Results include device details, URLs, and request counts.
2. Compromised Account Indicators
Query Option 1: Multiple Login Failures
Description: Detects accounts with repeated failed login attempts, indicating brute force or compromised credentials. Results highlight affected accounts.
Query Option 2: Logins from Unusual Locations
Description: Identifies accounts logging in from external or geographically unusual locations. Results display account details and geolocations.
Query Option 3: Suspicious Email Forwarding Rules
Description: Flags newly created email forwarding rules to external domains. Results include rule details and affected users.
3. Malicious Payload Delivery
Query Option 1: Identify Malicious Attachments
Description: Detects suspicious file types commonly used in phishing payloads. Results display filenames and sender details.
Query Option 2: Detect Command Execution from Email Clients
Description: Identifies processes executed from email clients, potentially indicating payload activation. Results include command details and originating processes.
Query Option 3: Advanced Process Analysis
Description: Flags suspicious commands executed on devices, often associated with phishing payloads. Results display commands and associated accounts.
4. Threat Persistence
Query Option 1: Unauthorized OAuth Application Approvals
Description: Detects unauthorized OAuth application approvals. Results include app names, account details, and approval statuses.
Query Option 2: Persistent Email Rules
Description: Identifies persistent forwarding rules created in compromised accounts. Results highlight rule details and associated accounts.
Query Option 3: Advanced Token Abuse Indicators
Description: Flags token-based logons for sensitive accounts, potentially indicating token abuse. Results include account details and logon types.
5. Incident Response and Containment
Query Option 1: Isolate Compromised Accounts
Description: Identifies recent activity from known compromised accounts. Results assist in containment efforts.
Query Option 2: Identify Indicators of Compromise (IoCs)
Description: Correlates IoCs with email and process activities. Results highlight impacted systems and files.
Query Option 3: Incident Timeline Reconstruction
Description: Combines multiple data sources to reconstruct a timeline of phishing-related activities. Results provide a holistic view of the incident.
6. Conclusion
The playbook offers a good approach to detecting and analysing compromises in an environment. However, its usefulness depends on the environment and tools at your disposal. For an environment where KQL is an option, the queries may require some adaptation to specific data sources and infrastructure setup.
Last updated