Adversaries may use PHP scripts to send phishing emails as part of initial compromise or credential harvesting. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential spear-phishing campaigns or malicious script execution early.
YARA Rule
rule PM_Email_Sent_By_PHP_Script
{
strings:
$php1="X-PHP-Script" fullword
$php2="X-PHP-Originating-Script" fullword
$php3="/usr/bin/php" fullword
condition:
any of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Scheduled PHP Cron Job for Email Reports
Description: A legitimate cron job runs a PHP script to send daily email reports to administrators.
Filter/Exclusion: http_request_method:"GET" OR email_recipient:[email protected] OR script_path: /var/www/cronjobs/report_email.php
Scenario: PHP Script Used for User Password Reset Emails
Description: A PHP script handles password reset requests and sends confirmation emails to users.
Filter/Exclusion: email_subject:"Password Reset" OR script_path: /var/www/html/reset_password.php OR email_sender: [email protected]
Scenario: Admin Task to Send Bulk Emails via PHPMailer
Description: An admin uses a PHPMailer script to send bulk marketing emails to customers.
Filter/Exclusion: email_sender: [email protected] OR email_subject:"Special Offer" OR script_path: /var/www/scripts/bulk_email.php
Scenario: PHP Script for Automated Email Notifications
Description: A PHP script sends automated notifications (e.g., system alerts) to internal teams.
Filter/Exclusion: email_recipient: [email protected] OR email_subject:"System Alert" OR script_path: /var/www/scripts/notify_team.php
Scenario: PHP Script for Email-based API Integration
Description: A PHP script interacts with an external service via email (e.g., email-based API triggers).
Filter/Exclusion: email_subject:"API Trigger" OR script_path: /var/www/scripts/api_email_integration.php OR email_sender: [email protected]