← ~/DETECTIONS

2024-10-31 // Dylan Evans

ScatteredSpider Domain Phishing Campaigns via Network, Email, and Teams Interactions

Defender XDR

Detects suspicious logins or actions triggered by phishing links to ScatteredSpider (SS) domains (e.g., ServiceDesk, Okta) across network connections, email delivery, SafeLinks clicks, and Microsoft Teams.

phishingauthentication-abuselateral-movement-risk

SS Domain Phishing Campaigns via Network, Email, and Teams Interactions

Overview

This detection identifies potential phishing campaigns targeting SS domains (e.g., -servicedesk, -okta) by analyzing suspicious logins or actions triggered through network connections, email delivery, SafeLinks clicks, and Microsoft Teams interactions. The query flags anomalous behavior where users interact with malicious URLs from these high-risk domains.

Query

let SSDomains = dynamic(["-servicedesk.", "-okta.", "-sso.", "-cms.", "-helpdesk.", "oktalogin-"]); // domains from https://www.cisa.gov/sites/default/files/2025-07/aa23-320a-scattered-spider_1.pdf
DeviceNetworkEvents
| where RemoteUrl has_any (SSDomains)
| where ActionType == "ConnectionSuccess"
| project Timestamp, DeviceName, AccountUPN = InitiatingProcessAccountUpn, Url = RemoteUrl, ReportId
| extend Source = "Network"
| union (
EmailUrlInfo
| where Url has_any (SSDomains)
| join EmailEvents on NetworkMessageId
| where DeliveryAction != "Blocked"
| project Timestamp, AccountUPN = RecipientEmailAddress, Url, ActionType = DeliveryAction, Source = "Email", EmailSubject = Subject, Sender = SenderFromAddress
)
| union (
UrlClickEvents
| where Url has_any (SSDomains)
| where ActionType == "ClickAllowed"
| project Timestamp, AccountUPN = AccountUpn, Url, ActionType, Source = "SafeLinks"
)
| union (
MessageEvents
| join kind=inner (
    MessageUrlInfo
    | where UrlDomain has_any (SSDomains)
) on TeamsMessageId
| extend ParsedRecipients = parse_json(RecipientDetails)
| mv-expand Recipient = ParsedRecipients
| extend AccountUPN = tostring(Recipient.RecipientSmtpAddress)
| project Timestamp, AccountUPN, Sender = SenderEmailAddress, TeamsThreadName = ThreadName, Url, Source = "Teams"

Logic Explanation

The query detects suspicious interactions with SS domains by:

  1. Network Connections – Filters DeviceNetworkEvents for successful connections (ActionType == "ConnectionSuccess") to URLs containing SS domain patterns.
  2. Email Delivery – Joins EmailUrlInfo (phishing URL metadata) with EmailEvents (delivery logs), excluding blocked deliveries, and extracts recipient UPNs from phishy emails.
  3. SafeLinks Clicks – Captures clicks on allowed URLs (ActionType == "ClickAllowed") matching SS domains.
  4. Microsoft Teams Messages – Joins MessageUrlInfo with MessageEvents, parsing recipient details (e.g., UPNs) from Teams threads containing phishing links.

Tuning Notes

  • False Positives: Legitimate users accessing internal SS services (e.g., -servicedesk) may trigger false positives. Consider excluding trusted domains or refining the SSDomains list.

    • Suggestion: Add a whitelist of non-phishing SS domains (e.g., okta.com, service-desk.internal).
  • False Positives: SafeLinks clicks on legitimate URLs (e.g., internal helpdesk portals) may appear as phishing. Adjust the threshold for ActionType == "ClickAllowed" if needed.

    • Suggestion: Cross-reference with SafeLinkEvents to verify URL reputation.

References