Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source.
| ID | Name | Description |
|---|---|---|
| G0001 | Axiom |
Axiom has used spear phishing to initially compromise victims.[1][2] |
| G0115 | GOLD SOUTHFIELD |
GOLD SOUTHFIELD has conducted malicious spam (malspam) campaigns to gain access to victim's machines.[3] |
| S0009 | Hikit |
| ID | Mitigation | Description |
|---|---|---|
| M1049 | Antivirus/Antimalware |
Anti-virus can automatically quarantine suspicious files. |
| M1031 | Network Intrusion Prevention |
Network intrusion prevention systems and systems designed to scan and remove malicious email attachments or links can be used to block activity. |
| M1021 | Restrict Web-Based Content |
Determine if certain websites or attachment types (ex: .scr, .exe, .pif, .cpl, etc.) that can be used for phishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk. |
| M1054 | Software Configuration |
Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.[4][5] |
| M1017 | User Training |
Users can be trained to identify social engineering techniques and phishing emails. |
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0022 | File | File Creation |
| DS0029 | Network Traffic | Network Traffic Content |
| Network Traffic Flow |
Network intrusion detection systems and email gateways can be used to detect phishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.
Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[4][5]
URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.
Because most common third-party services used for phishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware.
Anti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Many possible detections of follow-on behavior may take place once User Execution occurs.