Get Started Free

13.9 Waves 2-5: Campaign Tracking

2–3 hours · Module 13

Waves 2-5: The Campaign Continues

Containing Wave 1 does not end the incident. The attacker has infrastructure, a target list, and proof that their kit works. They will try again with different lures.

Wave 2 — Day 1, 21:00 GMT (12 hours after Wave 1)

1
2
3
4
5
6
7
8

EmailEvents
| where TimeGenerated between (datetime(2026-02-27T20:00:00Z) .. datetime(2026-02-28T02:00:00Z))
| where SenderMailFromDomain has_any ("northgate-docs", "northgateeng-portal", "northgate-voicemail")
    or Subject has_any ("Shared document", "Budget Review", "Q4 Report")
| summarize Count = count(), Recipients = dcount(RecipientEmailAddress),
    Subjects = make_set(Subject), DeliveryActions = make_set(DeliveryAction)
    by SenderMailFromDomain
| sort by Count desc

Result: 41 emails from northgate-docs[.]com with subject “Shared document: Q4 Budget Review.” Different domain, different lure, all-staff targeting. 38 delivered, 3 blocked. The URL path pattern matches Wave 1: /auth/[hash]/login.

Detection improvement per wave

WaveDomainLureDeliveredDetected byTime to detect
1northgate-voicemail[.]comVoicemail notification19/23ZAP (post-delivery)23 minutes
2northgate-docs[.]comDocument sharing38/41Manual hunt (pattern match)2 hours
3northgateeng-support[.]comIT password reset5/8NRT analytics rule4 minutes
4northgate-benefits[.]comBenefits enrolment11/15Transport rule (blocked)0 (pre-delivery)
5northgate-projects[.]comProject update8/31Transport rule (blocked)0 (pre-delivery)
Detection maturity across 5 waves

Wave 1: reactive (ZAP, 23 minutes). Wave 2: proactive hunt (pattern match, 2 hours). Wave 3: automated detection (NRT rule, 4 minutes). Waves 4-5: preventive (transport rule, blocked before delivery). This progression from reactive to preventive is the goal of every IR engagement.

Wave 3 — Executive targeting

Wave 3 targeted 8 executives with an IT password reset lure. The NRT analytics rule deployed after Wave 2 caught it within 4 minutes. No executives clicked. Two factors: executives tend to have better security awareness training, and the “IT support” lure was less convincing than the voicemail lure (executives do not expect IT to email them password reset links).

Waves 4-5 — Blocked by transport rules

After Wave 3, Exchange Online transport rules were deployed blocking the URL path pattern /auth/[a-f0-9]{32}/login across all inbound email. Waves 4 and 5 were mostly blocked at delivery. The 8 and 11 that delivered used slightly modified URL structures — the attacker began adapting. But by this point, the pattern was well-understood and additional rules were deployed within hours.

Try it yourself

Write a transport rule condition that blocks emails containing URLs matching the phishing kit pattern. Consider: should you block or quarantine? What is the risk of false positives?

Recommended approach: Quarantine rather than block for the first 24 hours. This allows you to review quarantined emails for false positives before switching to a hard block. The regex pattern /auth/[a-f0-9]{32}/login is specific enough that false positives are unlikely, but quarantine-first is the safer approach for production environments.

After 24 hours with zero false positives in quarantine, switch to hard block (reject with NDR). Add specific domain blocks for each identified phishing domain as a belt-and-braces measure.

Check your understanding

1. Detection improved from 23 minutes (Wave 1) to 0 minutes (Waves 4-5). What drove this improvement?

Microsoft updated their detection engine
Each wave produced IOCs and patterns that were converted into progressively faster detections: ZAP (reactive) to NRT analytics rule (near-real-time) to transport rule (preventive, pre-delivery block)
Users stopped clicking
← 13.10 Cross-Wave Correlation 13.8 Eradication and Verification →