Threat actor Phosphorus may be using compromised email accounts to impersonate conference organizers and distribute malicious attachments or links. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential credential theft and phishing campaigns associated with this advanced persistent threat.
KQL Query
//All emails from the threat actor Phosphorus, masquerading as conference organizers, based on the IOCs shared
// by Microsoft's Threat Intelligence Center in: https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/
let MaliciousSenders = dynamic(["t20saudiarabia@outlook.sa", "t20saudiarabia@hotmail.com", "t20saudiarabia@gmail.com", "munichconference@outlook.com",
"munichconference@outlook.de", "munichconference1962@gmail.com"]);
EmailEvents
| where SenderFromAddress in~ (MaliciousSenders)
id: 95510f90-597c-407e-bbe6-0e0319b456b0
name: Threat actor Phosphorus masquerading as conference organizers
description: |
Identify prior activity from this campaign using IOCs shared by Microsoft's Threat Intelligence Center, or MSTIC.
Read more: https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- Initial access
query: |
//All emails from the threat actor Phosphorus, masquerading as conference organizers, based on the IOCs shared
// by Microsoft's Threat Intelligence Center in: https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/
let MaliciousSenders = dynamic(["t20saudiarabia@outlook.sa", "t20saudiarabia@hotmail.com", "t20saudiarabia@gmail.com", "munichconference@outlook.com",
"munichconference@outlook.de", "munichconference1962@gmail.com"]);
EmailEvents
| where SenderFromAddress in~ (MaliciousSenders)
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for conference registration system
Description: A scheduled job runs daily to process conference registrations using a legitimate script or tool like PowerShell or Python scripts.
Filter/Exclusion: Exclude processes associated with known registration scripts or tools used by the event management system (e.g., register_conference.ps1, event_registration.py).
Scenario: Admin task to send out conference reminder emails
Description: An administrator uses a legitimate email tool like SendGrid or Mailchimp to send out reminder emails to registered attendees.
Filter/Exclusion: Exclude email sending activities from known legitimate email services or internal email servers (e.g., sendgrid.com, mail.example.com).
Scenario: System update or patching activity for conference-related software
Description: A system update or patching process is initiated using tools like Windows Update, WSUS, or Chocolatey to ensure conference software is up to date.
Filter/Exclusion: Exclude processes related to known update mechanisms or patching tools (e.g., wusa.exe, choco, wsusutil.exe).
Scenario: Data export for conference analytics using a reporting tool
Description: A reporting tool like Power BI, Tableau, or SQL Server Reporting Services is used to export data for conference analytics.
Filter/Exclusion: Exclude processes associated with known reporting tools or data export activities (e.g., PowerBI.exe, tabcmd, rs.exe).
Scenario: Legitimate user accessing conference materials via a shared drive
Description: A user accesses conference materials stored on a shared drive using tools like Windows File Explorer or OneDrive.
Filter/Exclusion: Exclude file access events from known shared drives