11.9 Campaign Tracking Across Waves

4-6 hours · Module 11

Campaign Tracking Across Waves

A single compromised account may be an isolated phishing success. Five waves over 72 hours is a campaign. This subsection teaches you to correlate infrastructure, TTPs, and timing across attack waves to build the complete campaign picture.

Identifying Wave 2: internal phishing from compromised accounts

The attacker uses j.morrison’s compromised mailbox to send phishing emails to internal users. These emails bypass Safe Links and Safe Attachments because they originate from a trusted internal sender.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
// Internal phishing — emails sent from compromised account to internal recipients
EmailEvents
| where TimeGenerated > datetime(2026-02-27T12:00:00Z)
| where SenderFromAddress == "j.morrison@northgateeng.com"
| where RecipientEmailAddress endswith "@northgateeng.com"
| where DeliveryAction == "Delivered"
| join kind=inner (
    EmailUrlInfo
    | where TimeGenerated > datetime(2026-02-27T12:00:00Z)
) on NetworkMessageId
| where UrlDomain !in ("northgateeng.com", "microsoft.com", "office.com", "sharepoint.com")
| project TimeGenerated, SenderFromAddress, RecipientEmailAddress, Subject, Url, UrlDomain
| order by TimeGenerated asc

What to look for: Emails from the compromised account containing URLs to domains that are NOT legitimate Microsoft or corporate domains. The subject line may mimic the original phishing campaign or use a new pretext.

Investigation decision point: If the attacker sent internal phishing: this is a campaign, not an isolated compromise. Every recipient is now a potential victim. Run the scoping queries from 11.3 for the new phishing domain(s). Check UrlClickEvents for clicks. Check SigninLogs for compromises.

Correlating attacker infrastructure across waves

Campaigns use multiple domains and IPs. Correlate them to build the infrastructure map.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
// All attacker infrastructure — domains and IPs used across the campaign
let AttackerIPs = SigninLogs
| where TimeGenerated > datetime(2026-02-26T09:00:00Z)
| where UserPrincipalName in ("j.morrison@northgateeng.com",
    "s.chen@northgateeng.com", "a.patel@northgateeng.com")
| where IPAddress !in ("192.0.2.10", "192.0.2.15")  // Exclude known corporate
| distinct IPAddress;
let PhishingDomains = EmailUrlInfo
| where TimeGenerated > datetime(2026-02-26T09:00:00Z)
| where UrlDomain has_any ("secure-portal-verify", "login-microsoftonline", "sharepoint-secure")
| distinct UrlDomain;
print AttackerIPs = toscalar(AttackerIPs | summarize make_set(IPAddress)),
    PhishingDomains = toscalar(PhishingDomains | summarize make_set(UrlDomain))

Build the campaign infrastructure table:

Wave	Date	Phishing Domain	Attacker IP(s)	Compromised Users
1	27 Feb 08:45	secure-portal-verify.com	203.0.113.47	j.morrison
2	27 Feb 14:00	microsoftonline-auth.com	203.0.113.47, 203.0.113.52	s.chen, a.patel
3	28 Feb 03:00	(no new phishing — persistence)	203.0.113.52	s.chen, a.patel (existing)
4	28 Feb 09:00	sharepoint-secure-docs.com	203.0.113.89	r.williams, m.thompson, + 1
5	28 Feb 16:00	(no new phishing — BEC attempt)	203.0.113.52	a.patel (BEC from existing compromise)

This table is a critical artifact in the IR report (11.11) and drives the hardening recommendations (11.12).

Subsection artifact: The campaign infrastructure correlation queries and the campaign infrastructure table template. These form the campaign tracking section of your AiTM investigation playbook.

Knowledge check

Check your understanding

1. Wave 2 emails were sent from j.morrison's compromised mailbox to internal users. Why might these emails bypass Safe Links?

Internal emails are treated as trusted by default. Safe Links evaluates external email URLs more aggressively than internal ones. An email from j.morrison@northgateeng.com to colleagues is from a trusted internal sender — the URL may not be scanned with the same rigour as an external email, or the Safe Links policy may not apply to internal-to-internal email (depending on policy configuration). This is why internal phishing from compromised accounts is so effective.

Safe Links was disabled

The URLs were different from Wave 1

Internal emails are never scanned

Internal sender trust + potentially weaker Safe Links policy for internal email. This is why compromised internal accounts are such effective phishing vectors.

← 11.8 Eradication 11.10 Scope Assessment: Who Else Was Hit? →