Phishing for Information: Spearphishing Link

Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.[1][2] The given website may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: Search Open Websites/Domains or Search Victim-Owned Websites) to craft persuasive and believable lures.

ID: T1598.003
Sub-technique of:  T1598
Tactic: Reconnaissance
Platforms: PRE
Contributors: Philip Winther; Robert Simmons, @MalwareUtkonos; Sebastian Salla, McAfee
Version: 1.2
Created: 02 October 2020
Last Modified: 08 March 2022

Procedure Examples

ID Name Description
S0677 AADInternals

AADInternals can send phishing emails containing malicious links designed to collect users’ credentials.[3]

G0007 APT28

APT28 has conducted credential phishing campaigns with embedded links to attacker-controlled domains.[4]

G0050 APT32

APT32 has used malicious links to direct users to web pages designed to harvest credentials.[5]

G0035 Dragonfly

Dragonfly has used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites.[6]

G0094 Kimsuky

Kimsuky has used links in e-mail to steal account information.[7][8][9]

G0059 Magic Hound

Magic Hound has used SMS and email messages with links designed to steal credentials.[10][11][12][13]

G0034 Sandworm Team

Sandworm Team has crafted spearphishing emails with hyperlinks designed to trick unwitting recipients into revealing their account credentials.[14]

G0121 Sidewinder

Sidewinder has sent e-mails with malicious links to credential harvesting websites.[15]

G0122 Silent Librarian

Silent Librarian has used links in e-mails to direct victims to credential harvesting websites designed to appear like the targeted organization's login page.[16][17][18][19][20][21]

S0649 SMOKEDHAM

SMOKEDHAM has been delivered via malicious links in phishing emails.[22]

Mitigations

ID Mitigation Description
M1054 Software Configuration

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.[23][24]

M1017 User Training

Users can be trained to identify social engineering techniques and spearphishing attempts.

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0029 Network Traffic Network Traffic Content
Network Traffic Flow

Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[23][24]

Monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites.

References