T1566.002 Spearphishing Link Mappings

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging User Execution. The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack").(Citation: CISA IDN ST05-016)

Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to Steal Application Access Tokens.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-4 Information Flow Enforcement Protects T1566.002 Spearphishing Link
CA-7 Continuous Monitoring Protects T1566.002 Spearphishing Link
CM-2 Baseline Configuration Protects T1566.002 Spearphishing Link
CM-6 Configuration Settings Protects T1566.002 Spearphishing Link
IA-9 Service Identification and Authentication Protects T1566.002 Spearphishing Link
SC-20 Secure Name/address Resolution Service (authoritative Source) Protects T1566.002 Spearphishing Link
SC-44 Detonation Chambers Protects T1566.002 Spearphishing Link
SC-7 Boundary Protection Protects T1566.002 Spearphishing Link
SI-3 Malicious Code Protection Protects T1566.002 Spearphishing Link
SI-4 System Monitoring Protects T1566.002 Spearphishing Link
SI-8 Spam Protection Protects T1566.002 Spearphishing Link
action.social.variety.Phishing Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. related-to T1566.002 Phishing: Spearphishing Link
action.social.vector.Email Email related-to T1566.002 Phishing: Spearphishing Link
action.social.vector.Web application Web application related-to T1566.002 Phishing: Spearphishing Link