Detects APT10 MenuPass Phishing

Hunt Hypothesis

APT10 adversaries use MenuPass phishing to deliver malicious payloads through compromised email accounts, leveraging social engineering to trick users into executing malicious attachments or links. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage APT10 campaigns before they escalate to data exfiltration or lateral movement.

YARA Rule

rule Maldoc_APT10_MenuPass {
   meta:
      description = "Detects APT10 MenuPass Phishing"
      author = "Colin Cowie"
      reference = "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html"
      date = "2018-09-13"
   strings:
      $s1 = "C:\\ProgramData\\padre1.txt"
      $s2 = "C:\\ProgramData\\padre2.txt"
      $s3 = "C:\\ProgramData\\padre3.txt"
      $s5 = "C:\\ProgramData\\libcurl.txt"
      $s6 = "C:\\ProgramData\\3F2E3AB9"
   condition:
      any of them or
      hash.md5(0, filesize) == "4f83c01e8f7507d23c67ab085bf79e97" or
      hash.md5(0, filesize) == "f188936d2c8423cf064d6b8160769f21" or
      hash.md5(0, filesize) == "cca227f70a64e1e7fcf5bccdc6cc25dd"
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html
• Source Rule

False Positive Guidance

• Scenario: System Administrator Sends Phishing Email for User Training
  Description: A sysadmin sends a phishing email to users as part of a security awareness training exercise using a legitimate email tool like Microsoft Outlook or SendGrid.
  Filter/Exclusion: Exclude emails sent from known admin email addresses or domains used for internal training, e.g., training@company.com or security-awareness@company.com.

• Scenario: Scheduled Job Sends Test Emails for Email Server Validation
  Description: A scheduled job, such as Postfix or Exchange Transport Agent, sends test emails to verify email server configurations or monitor delivery.
  Filter/Exclusion: Exclude emails sent from known internal mail servers or during scheduled maintenance windows, e.g., test-email@company.com or job-id-12345@company.com.

• Scenario: IT Helpdesk Sends Phishing-Like Emails for Password Reset
  Description: The IT helpdesk uses a legitimate password reset tool like Microsoft Azure AD Password Reset or Okta to send emails that mimic phishing attempts for user verification.
  Filter/Exclusion: Exclude emails sent from known helpdesk email addresses or those containing valid password reset links with user-specific tokens.

• Scenario: Database Backup Script Sends Notification Emails
  Description: A database backup script, such as MySQL or SQL Server, sends email notifications to the DBA team using SMTP or Sendmail.
  Filter/Exclusion: Exclude emails sent from known backup or monitoring email addresses, e.g., backup-notifications@company.com or dba-team@company.com.

• Scenario: User Receives Legitimate Email with Suspicious Subject Line
  Description: A user receives a legitimate email from a trusted vendor or partner with a subject line that includes suspicious keywords (