Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| virus_total | Virus Total | technique_scores | T1566 | Phishing |
Comments
VirusTotal, now part of Google Cloud, provides threat context and reputation data to help analyze suspicious files, URLs, domains, and IP addresses to detect cybersecurity threats. This control can help mitigate adversaries that try to send malware via emails using malicious links or attachments. The malware-scanner service scans the uploaded document for malware.
If the document is infected, the service moves it to a quarantined bucket; otherwise the document is moved into another bucket that holds uninfected scanned documents.
References
|
| web_risk | Web Risk | technique_scores | T1566 | Phishing |
Comments
Web Risk allows client applications to check URLs against Google's list of unsafe web resources. It also can provide warnings when attempting to access potentially unsafe sites. However, Google cannot guarantee that its information is comprehensive and error-free: some risky sites may not be identified, and some safe sites may be classified in error. This has resulted in an overall score of Partial.
References
|
| beyondcorp_enterprise | BeyondCorp Enterprise | technique_scores | T1566 | Phishing |
Comments
This control can help detect malicious links sent via phishing. The details include a list of samples of message delivery events. Each item in the list includes the date, message ID, subject hash, message body hash, username of the recipient, attachment hashes, and your primary domain name. As a result, this can be used to block senders.
References
|
| beyondcorp_enterprise | BeyondCorp Enterprise | technique_scores | T1566 | Phishing |
Comments
This control can help detect malicious links sent via phishing. The details include a list of samples of message delivery events. Each item in the list includes the date, message ID, subject hash, message body hash, username of the recipient, attachment hashes, and your primary domain name.
References
|
| titan_security_key | Titan Security Key | technique_scores | T1566 | Phishing |
Comments
This control is able to mitigate against a variety of phishing attacks by requiring an additional key for authentication outside of the user's password. Compared to other forms of 2-factor authentication, this control will not allow for authentication to an illegitimate service or website as the key can not be transmitted from the hardware device to any other device.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1566.001 | Spearphishing Attachment | 2 |
| T1566.002 | Spearphishing Link | 2 |