1. Home
  2. Techniques
  3. Enterprise
  4. Phishing for Information
  5. Spearphishing Attachment

Phishing for Information: Spearphishing Attachment

ID Name
T1598.001 Spearphishing Service
T1598.002 Spearphishing Attachment
T1598.003 Spearphishing Link

Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon the recipient populating information then returning the file.[1][2] The text of the spearphishing email usually tries to give a plausible reason why the file should be filled-in, such as a request for information from a business associate. Adversaries may also use information from previous reconnaissance efforts (ex: Search Open Websites/Domains or Search Victim-Owned Websites) to craft persuasive and believable lures.

ID: T1598.002
Sub-technique of:  T1598
Tactic: Reconnaissance
Platforms: PRE
Contributors: Philip Winther; Robert Simmons, @MalwareUtkonos; Sebastian Salla, McAfee
Version: 1.1
Created: 02 October 2020
Last Modified: 15 April 2021

Procedure Examples

ID Name Description
S0373 Astaroth

Astaroth has been delivered via malicious e-mail attachments.[3]
G0035 Dragonfly

Dragonfly has used spearphishing with Microsoft Office attachments to enable harvesting of user credentials.[4]
G0121 Sidewinder

Sidewinder has sent e-mails with malicious attachments that lead victims to credential harvesting websites.[5][6][7]

Mitigations

ID Mitigation Description
M1054 Software Configuration

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.[8][9]
M1017 User Training

Users can be trained to identify social engineering techniques and spearphishing attempts.

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0029 Network Traffic Network Traffic Content
Network Traffic Flow

Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[8][9]

References

  1. Ducklin, P. (2020, October 2). Serious Security: Phishing without links – when phishers bring along their own web pages. Retrieved October 20, 2020.
  2. Ryan Hanson. (2016, September 24). phishery. Retrieved October 23, 2020.
  3. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
  4. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  5. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  1. Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021.
  2. Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021.
  3. Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
  4. Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.