2024-10-31 // Dylan Evans
ScatteredSpider Domain Phishing Campaigns via Network, Email, and Teams Interactions
Defender XDRDetects suspicious logins or actions triggered by phishing links to ScatteredSpider (SS) domains (e.g., ServiceDesk, Okta) across network connections, email delivery, SafeLinks clicks, and Microsoft Teams.
SS Domain Phishing Campaigns via Network, Email, and Teams Interactions
Overview
This detection identifies potential phishing campaigns targeting SS domains (e.g., -servicedesk, -okta) by analyzing suspicious logins or actions triggered through network connections, email delivery, SafeLinks clicks, and Microsoft Teams interactions. The query flags anomalous behavior where users interact with malicious URLs from these high-risk domains.
Query
let SSDomains = dynamic(["-servicedesk.", "-okta.", "-sso.", "-cms.", "-helpdesk.", "oktalogin-"]); // domains from https://www.cisa.gov/sites/default/files/2025-07/aa23-320a-scattered-spider_1.pdf
DeviceNetworkEvents
| where RemoteUrl has_any (SSDomains)
| where ActionType == "ConnectionSuccess"
| project Timestamp, DeviceName, AccountUPN = InitiatingProcessAccountUpn, Url = RemoteUrl, ReportId
| extend Source = "Network"
| union (
EmailUrlInfo
| where Url has_any (SSDomains)
| join EmailEvents on NetworkMessageId
| where DeliveryAction != "Blocked"
| project Timestamp, AccountUPN = RecipientEmailAddress, Url, ActionType = DeliveryAction, Source = "Email", EmailSubject = Subject, Sender = SenderFromAddress
)
| union (
UrlClickEvents
| where Url has_any (SSDomains)
| where ActionType == "ClickAllowed"
| project Timestamp, AccountUPN = AccountUpn, Url, ActionType, Source = "SafeLinks"
)
| union (
MessageEvents
| join kind=inner (
MessageUrlInfo
| where UrlDomain has_any (SSDomains)
) on TeamsMessageId
| extend ParsedRecipients = parse_json(RecipientDetails)
| mv-expand Recipient = ParsedRecipients
| extend AccountUPN = tostring(Recipient.RecipientSmtpAddress)
| project Timestamp, AccountUPN, Sender = SenderEmailAddress, TeamsThreadName = ThreadName, Url, Source = "Teams"
Logic Explanation
The query detects suspicious interactions with SS domains by:
- Network Connections – Filters
DeviceNetworkEventsfor successful connections (ActionType == "ConnectionSuccess") to URLs containing SS domain patterns. - Email Delivery – Joins
EmailUrlInfo(phishing URL metadata) withEmailEvents(delivery logs), excluding blocked deliveries, and extracts recipient UPNs from phishy emails. - SafeLinks Clicks – Captures clicks on allowed URLs (
ActionType == "ClickAllowed") matching SS domains. - Microsoft Teams Messages – Joins
MessageUrlInfowithMessageEvents, parsing recipient details (e.g., UPNs) from Teams threads containing phishing links.
Tuning Notes
False Positives: Legitimate users accessing internal SS services (e.g.,
-servicedesk) may trigger false positives. Consider excluding trusted domains or refining theSSDomainslist.- Suggestion: Add a whitelist of non-phishing SS domains (e.g.,
okta.com,service-desk.internal).
- Suggestion: Add a whitelist of non-phishing SS domains (e.g.,
False Positives: SafeLinks clicks on legitimate URLs (e.g., internal helpdesk portals) may appear as phishing. Adjust the threshold for
ActionType == "ClickAllowed"if needed.- Suggestion: Cross-reference with
SafeLinkEventsto verify URL reputation.
- Suggestion: Cross-reference with
References
- CISA AA23-320A: Scattered Spider Phishing Campaign (SS domain patterns).