Threat actor Phosphorus is using compromised email accounts of conference organizers to send phishing emails with malicious attachments, leveraging social engineering to target attendees. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate Phosphorus campaign activity early, preventing potential data exfiltration and lateral movement.
KQL Query
//Filter for emails that were delivered check the FinalEmailAction to see if there was policy applied on this email
let MaliciousSenders = dynamic(["t20saudiarabia@outlook.sa", "t20saudiarabia@hotmail.com", "t20saudiarabia@gmail.com", "munichconference@outlook.com",
"munichconference@outlook.de", "munichconference1962@gmail.com"]);
EmailEvents
| where SenderFromAddress in~ (MaliciousSenders) and DeliveryAction == "Delivered"
id: 32f927f2-b1f3-441b-8885-bd66404e091d
name: Threat actor Phosphorus masquerading as conference organizers (1)
description: |
Identify prior activity from this campaign using IOCs shared by Microsoft's Threat Intelligence Center, or MSTIC.
Read more: https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
query: |
//Filter for emails that were delivered check the FinalEmailAction to see if there was policy applied on this email
let MaliciousSenders = dynamic(["t20saudiarabia@outlook.sa", "t20saudiarabia@hotmail.com", "t20saudiarabia@gmail.com", "munichconference@outlook.com",
"munichconference@outlook.de", "munichconference1962@gmail.com"]);
EmailEvents
| where SenderFromAddress in~ (MaliciousSenders) and DeliveryAction == "Delivered"
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job for Conference Registration
Description: A system administrator schedules a recurring job using PowerShell to automate the registration of attendees for an internal conference. The script uses PowerShell cmdlets like Import-Csv and Send-MailMessage to process registration data and send confirmation emails.
Filter/Exclusion: Exclude any PowerShell scripts that use Import-Csv with a known internal CSV file path or Send-MailMessage to an internal email server.
Scenario: Admin Task for Conference Room Setup
Description: An IT admin uses PowerShell to configure conference room devices, such as setting up Zoom or Microsoft Teams meetings. The script may include commands like Set-Team or New-Team, which are commonly used in legitimate admin tasks.
Filter/Exclusion: Exclude PowerShell scripts that interact with Microsoft Teams or Zoom APIs and are executed from known admin user accounts.
Scenario: Email Campaign for Conference Reminder
Description: A marketing team sends out a bulk email using Exchange Online or Outlook to remind employees about an upcoming conference. The email may contain links to registration pages or agendas.
Filter/Exclusion: Exclude emails sent from known marketing or HR email domains, or emails that contain internal links to conference agendas or registration portals.
Scenario: System Update for Conference Tools
Description: A system update is deployed using Windows Update or Group Policy to install a new version of a conferencing tool like Zoom or Teams. The update process may involve downloading files from Microsoft’s public servers.
Filter/Exclusion: Exclude file downloads from Microsoft’s public update servers or from known internal update repositories.
Scenario: File Sync for Conference Materials
Description: A user sync