Back to Intelligence

NarwhalRAT Delivery via Fake Microsoft Account Alerts — Detection and Incident Response

SA
Security Arsenal Team
June 16, 2026
8 min read

Introduction

Security Arsenal has detected a concerning development in the threat landscape: the North Korean state-sponsored actor ScarCruft (APT37) has launched a new campaign using sophisticated phishing emails masquerading as Microsoft Account security notifications to deliver the NarwhalRAT malware. This attack leverages social engineering to create urgency about account compromise, tricking users into enabling malware delivery. The threat is significant not just due to the capabilities of NarwhalRAT (including keystroke logging, file exfiltration, and remote control) but because it targets enterprise environments where Microsoft Account security notifications are a routine part of IT operations. This campaign has been confirmed active in June 2026 and requires immediate defensive action.

Technical Analysis

Threat Actor: ScarCruft (APT37)

ScarCruft is a North Korean threat group with a history of targeting South Korean organizations, but increasingly expanding its focus globally. Known for sophisticated social engineering campaigns, they frequently leverage legitimate-looking emails to deliver custom-developed malware.

Attack Vector

The attack begins with spear-phishing emails impersonating Microsoft Account security alerts. The Genians Security Center (GSC) reports these messages are "designed to create concern over possible" security issues, prompting users to take urgent action. When users interact with the email content (typically clicking a link or opening an attachment), they trigger a download chain that delivers the NarwhalRAT payload.

NarwhalRAT Capabilities

NarwhalRAT is a custom remote access Trojan specifically developed by APT37 operations. Key capabilities include:

  • Keystroke logging
  • Clipboard data capture
  • Screenshot functionality
  • File system enumeration and exfiltration
  • Remote command execution
  • C2 communications over HTTP/HTTPS with encrypted payloads

Exploitation Status

The current campaign represents active exploitation in the wild as of June 2026. There is no CVE associated with this attack as it relies on social engineering rather than software vulnerability exploitation.

Detection & Response

SIGMA Rules

YAML
---
title: Suspicious Microsoft Account Security Alert Phishing Email
id: 9e5a8f90-1234-4d67-bc12-3e5a8f901234
status: experimental
description: Detects potential phishing emails impersonating Microsoft Account security notifications
references:
  - https://thehackernews.com/2026/06/fake-microsoft-alerts-used-to-deploy.html
author: Security Arsenal
date: 2026/06/12
tags:
  - attack.initial_access
  - attack.t1566.001
  - attack.social_engineering
logsource:
  product: email
detection:
  selection:
    Subject|contains:
      - 'Microsoft account security alert'
      - 'Microsoft account unusual sign-in'
      - 'Microsoft account verification code'
    SenderFromAddress|contains:
      - '@microsoft.com'
      - '@microsoftaccount.com'
      - '@outlook.com'
    Body|contains:
      - 'sign-in attempt'
      - 'unusual activity'
      - 'security notification'
  filter:
    SenderIP:
      - Microsoft's legitimate IP ranges
falsepositives:
  - Legitimate Microsoft security notifications
level: medium
---
title: NarwhalRAT Process Creation Pattern
id: 7a3f1c82-9e4b-4d67-bc12-3e5a8f901235
status: experimental
description: Detects potential NarwhalRAT execution patterns
references:
  - https://thehackernews.com/2026/06/fake-microsoft-alerts-used-to-deploy.html
author: Security Arsenal
date: 2026/06/12
tags:
  - attack.execution
  - attack.t1204
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|contains:
      - '\AppData\Roaming\Microsoft\'
      - '\AppData\Local\Temp\'
    Image|endswith:
      - '.exe'
    Company:
      - 'Microsoft Corporation'
  filter:
    SignedStatus: 'Signed'
    ImagePath|contains:
      - '\Program Files\'
      - '\Program Files (x86)\'
falsepositives:
  - Legitimate Microsoft applications
level: high
---
title: Suspicious C2 Communications Characteristic of NarwhalRAT
id: 550d9a23-0f72-4e3a-a8c5-1d2f3b4c5d6f
status: experimental
description: Detects network communications resembling NarwhalRAT C2 activity
references:
  - https://thehackernews.com/2026/06/fake-microsoft-alerts-used-to-deploy.html
author: Security Arsenal
date: 2026/06/12
tags:
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Initiated: 'true'
    DestinationPort|between:
      - 443
      - 443
    UserAgent|contains:
      - 'Mozilla'
  condition: selection | count(DestinationHostname) by SourceIp > 10
falsepositives:
  - Legitimate web browsing activity
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Search for suspicious emails impersonating Microsoft security alerts
EmailEvents
| where Timestamp > ago(7d)
| where Subject has "Microsoft account" and (Subject has "security alert" or Subject has "sign-in" or Subject has "verification")
| project Timestamp, Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId, SenderIPv4
| extend SuspiciousIndicator = iff(SenderFromAddress !has "microsoft.com", 1, 0)
| where SuspiciousIndicator == 1

// Hunt for suspicious process execution patterns consistent with NarwhalRAT
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FolderPath has @"\AppData\Roaming\Microsoft\" or FolderPath has @"\AppData\Local\Temp\"
| where FileName endswith ".exe"
| where AccountName != "SYSTEM" 
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine
| summarize Count = count() by DeviceName, FileName, SHA256
| where Count > 1

// Identify anomalous network connections potentially related to NarwhalRAT C2
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort == 443 and InitiatingProcessFileName !in ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe")
| where RemoteUrl !contains "microsoft.com" and RemoteUrl !contains "windowsupdate.com"
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, RemoteIP, BytesSent, BytesReceived
| summarize TotalBytesSent = sum(BytesSent), TotalBytesReceived = sum(BytesReceived) by DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| where TotalBytesSent > 1000000 or TotalBytesReceived > 5000000

Velociraptor VQL

VQL — Velociraptor
-- Hunt for suspicious processes related to NarwhalRAT
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime, Hash
FROM pslist()
WHERE Exe =~ '.*\\AppData\\Roaming\\Microsoft\\.*\.exe$'
   OR Exe =~ '.*\\AppData\\Local\\Temp\\.*\.exe$'
   AND Name != 'MicrosoftEdgeUpdate.exe'

-- Identify suspicious network connections
SELECT PID, RemoteAddr, RemotePort, State, Family, StartTime
FROM netstat()
WHERE RemotePort = 443 AND State = 'ESTABLISHED'

-- Check for persistence mechanisms commonly used by RATs
SELECT Key.Path, Key.ModifyTime, Key.Data.Name, Key.Data.Data
FROM glob(globs='/*/{Software/Microsoft/Windows/CurrentVersion/Run,*}')
WHERE Key.Data.Name =~ '.*Update.*' OR Key.Data.Name =~ '.*Service.*'
   AND NOT Key.Data.Data =~ '.*Program Files.*'

Remediation Script (PowerShell)

PowerShell
# PowerShell script to identify and isolate systems potentially infected with NarwhalRAT

# Function to check for suspicious processes
function Get-SuspiciousProcesses {
    $suspiciousPaths = @(
        "$env:APPDATA\Microsoft\",
        "$env:LOCALAPPDATA\Temp\"
    )
    
    Get-Process | Where-Object { 
        $proc = $_
        $suspiciousPaths | Where-Object { $proc.Path -like "$_*" } | Measure-Object | Select-Object -ExpandProperty Count -gt 0
    } | Select-Object Id, ProcessName, Path, StartTime, @{Name='SHA256';Expression={(Get-FileHash $_.Path -Algorithm SHA256).Hash}}
}

# Function to check for suspicious network connections
function Get-SuspiciousNetworkConnections {
    Get-NetTCPConnection -State Established | Where-Object { 
        $_.RemotePort -eq 443 -and 
        $_.OwningProcess -notin (Get-Process | Where-Object { $_.ProcessName -match 'chrome|firefox|msedge|iexplore' } | Select-Object -ExpandProperty Id)
    } | ForEach-Object {
        $process = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
        [PSCustomObject]@{
            ProcessName = $process.ProcessName
            ProcessId = $_.OwningProcess
            RemoteAddress = $_.RemoteAddress
            RemotePort = $_.RemotePort
            State = $_.State
            CreationTime = $process.StartTime
        }
    }
}

# Function to check for suspicious persistence mechanisms
function Get-SuspiciousPersistence {
    $runPaths = @(
        "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
        "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
    )
    
    foreach ($path in $runPaths) {
        if (Test-Path $path) {
            Get-Item -Path $path | Select-Object -ExpandProperty Property | ForEach-Object {
                $value = (Get-ItemProperty -Path $path -Name $_).$_
                if ($value -match "AppData\\(Roaming|Local)\\" -and $value -match "\\Microsoft\\" -and $value -notmatch "Program Files") {
                    [PSCustomObject]@{
                        RegistryPath = $path
                        ValueName = $_
                        ValueData = $value
                    }
                }
            }
        }
    }
}

# Execute checks and compile report
Write-Host "Checking for NarwhalRAT indicators..." -ForegroundColor Cyan

$suspiciousProcesses = Get-SuspiciousProcesses
if ($suspiciousProcesses) {
    Write-Host "Found $($suspiciousProcesses.Count) suspicious processes:" -ForegroundColor Yellow
    $suspiciousProcesses | Format-Table -AutoSize
    # Terminate suspicious processes
    foreach ($proc in $suspiciousProcesses) {
        Write-Host "Terminating process $($proc.ProcessName) with PID $($proc.Id)" -ForegroundColor Red
        Stop-Process -Id $proc.Id -Force
    }
} else {
    Write-Host "No suspicious processes found." -ForegroundColor Green
}

$suspiciousConnections = Get-SuspiciousNetworkConnections
if ($suspiciousConnections) {
    Write-Host "Found $($suspiciousConnections.Count) suspicious network connections:" -ForegroundColor Yellow
    $suspiciousConnections | Format-Table -AutoSize
} else {
    Write-Host "No suspicious network connections found." -ForegroundColor Green
}

$suspiciousPersistence = Get-SuspiciousPersistence
if ($suspiciousPersistence) {
    Write-Host "Found $($suspiciousPersistence.Count) suspicious persistence mechanisms:" -ForegroundColor Yellow
    $suspiciousPersistence | Format-Table -AutoSize
    # Remove suspicious persistence entries
    foreach ($entry in $suspiciousPersistence) {
        Write-Host "Removing persistence entry $($entry.ValueName) from $($entry.RegistryPath)" -ForegroundColor Red
        Remove-ItemProperty -Path $entry.RegistryPath -Name $entry.ValueName
    }
} else {
    Write-Host "No suspicious persistence mechanisms found." -ForegroundColor Green
}

Write-Host "NarwhalRAT check complete." -ForegroundColor Cyan

Remediation

Immediate Actions

  1. User Awareness: Immediately notify all users about this phishing campaign, with specific examples of the fake Microsoft security alert emails. Emphasize that legitimate Microsoft security notifications will never ask users to click links to install software or provide credentials.

  2. Email Filtering: Update email security gateways to flag or quarantine messages with the following characteristics:

    • Subjects containing "Microsoft account security alert"
    • Senders claiming to be from Microsoft but originating from non-Microsoft infrastructure
    • Messages creating urgency about account compromise

  3. Endpoint Isolation: For systems potentially infected based on detection indicators:

    • Isolate from the network immediately
    • Conduct forensic analysis to determine the scope of compromise
    • Consider reimaging systems where persistent malware is confirmed

Long-term Defensive Measures

  1. Implement DMARC, SPF, and DKIM: Strengthen email authentication to reduce the effectiveness of domain spoofing in phishing campaigns.

  2. Application Allowlisting: Implement strict allowlisting policies to prevent execution of unsigned binaries and those not located in standard application directories.

  3. Network Segmentation: Restrict lateral movement capabilities by implementing network segmentation and micro-segmentation principles.

  4. Monitoring and Detection: Deploy the provided detection rules across your security stack and establish monitoring for the specific indicators of compromise (IOCs) associated with this campaign.

  5. Security Awareness Training: Conduct targeted training to help users identify social engineering attempts, particularly those creating urgency about security incidents.

Vendor Resources

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionapt37narwhalratphishing

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action