Phishing Campaign Scope and Credential Exposure

AnalysisP190 min
🎣 Phishing📧 Business Email Compromise🔑 Credential Theft
IR AnalystSwitch roles in the top navigation to see different perspectives.

Analyze the full scope of the phishing campaign to determine which users were compromised, what data or systems were accessed with stolen credentials, and whether the attacker established persistence.

Actions

  1. 1.Correlate email delivery data with URL click data and sign-in logs to build a complete interaction chain: delivered → clicked → credential entered → successful sign-in from attacker IP
  2. 2.For each confirmed-compromised user, map all post-compromise activity: emails read/sent, files accessed, applications used, and admin actions performed using the stolen credentials
  3. 3.Analyze whether the attacker used compromised accounts to send internal phishing emails (lateral phishing): search for emails sent from compromised accounts with suspicious URLs or attachments
  4. 4.Check for persistence mechanisms planted by the attacker: inbox rules forwarding email externally, OAuth app consent grants, new MFA methods registered, and Azure AD role escalation
  5. 5.Determine the credential harvesting infrastructure: analyze the phishing kit, identify the drop email/server where credentials were sent, and check if harvested credentials have appeared on dark web markets
  6. 6.Assess data exposure: identify all emails, documents, and data accessible to compromised accounts and determine if any sensitive/regulated data was accessed or exfiltrated

Queries

// KQL -- Full phishing interaction chain analysis
let delivered = EmailEvents
| where SenderFromAddress == "<PHISHING_SENDER>" and Subject has "<SUBJECT>"
| project RecipientEmailAddress, DeliveryTime=Timestamp;
let clicked = UrlClickEvents
| where Url has "<PHISHING_DOMAIN>"
| project AccountUpn, ClickTime=Timestamp, IsClickedThrough;
let compromised = SigninLogs
| where IPAddress in ("<ATTACKER_IPS>")
| where ResultType == "0"
| project UserPrincipalName, LoginTime=TimeGenerated, IPAddress, AppDisplayName;
delivered
| join kind=leftouter (clicked) on $left.RecipientEmailAddress == $right.AccountUpn
| join kind=leftouter (compromised) on $left.RecipientEmailAddress == $right.UserPrincipalName
| project RecipientEmailAddress, DeliveryTime, ClickTime, IsClickedThrough, LoginTime, IPAddress, AppDisplayName
// KQL -- Post-compromise activity by compromised users
let compromised_users = dynamic(["<USER1>","<USER2>"]);
let attacker_ips = dynamic(["<IP1>","<IP2>"]);
OfficeActivity
| where UserId in (compromised_users)
| where ClientIP in (attacker_ips)
| summarize Actions=count(), UniqueOps=dcount(Operation), Operations=make_set(Operation) by UserId, ClientIP, bin(TimeGenerated, 1h)
| sort by TimeGenerated asc
// KQL -- Lateral phishing detection (compromised accounts sending phishing)
EmailEvents
| where Timestamp > ago(7d)
| where SenderFromAddress in ("<COMPROMISED_USER_1>","<COMPROMISED_USER_2>")
| where DeliveryAction == "Delivered"
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, UrlCount, AttachmentCount
| sort by Timestamp desc

Notes

  • Lateral phishing (using compromised internal accounts to phish other employees) is highly effective because the emails come from trusted senders and bypass external email filtering
  • OAuth consent grants are a critical persistence check: an attacker with Mail.Read permission via an OAuth app retains access even after password reset
  • The true scope of credential compromise may be larger than email interactions: check for password reuse across other platforms using credential monitoring services