Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged campaign where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.(Citation: Trend Micro When Phishing Starts from the Inside 2017)
Adversaries may leverage Spearphishing Attachment or Spearphishing Link as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through Input Capture on sites that mimic email login interfaces.
There have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process.(Citation: Trend Micro When Phishing Starts from the Inside 2017) The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the campaign and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.(Citation: THE FINANCIAL TIMES LTD 2019.)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| EOP-AntiSpam-E3 | AntiSpam | Technique Scores | T1534 | Internal Spearphishing |
Comments
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP.
To help reduce junk email, EOP includes junk email protection that uses proprietary spam filtering (also known as content filtering) technologies to identify and separate junk email from legitimate email. EOP spam filtering learns from known spam and phishing threats and user feedback from our consumer platform.
License requirements: M365 E3
References
|
| M365-DEF-ZAP-E3 | Zero Hour Auto Purge | Technique Scores | T1534 | Internal Spearphishing |
Comments
Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.
License Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security.
References
|
| DO365-TPSR-E3 | Threat Protection Status Report | Technique Scores | T1534 | Internal Spearphishing |
Comments
Threat protection status report is a single view that brings together information about malicious content and malicious email detected and blocked by Exchange Online Protection (EOP) and Defender for Office 365. The report provides the count of email messages with malicious content. For example: Files or website addresses (URLs) that were blocked by the anti-malware engine, Files or messages affected by zero-hour auto purge (ZAP), Files or messages that were blocked by Defender for Office 365 features: Safe Links, Safe Attachments, and impersonation protection features in anti-phishing policies.
Threat Protection Status Report Detects Internal Spearphishing attacks by the report capturing and displaying files or messages that were blocked by Safe Links, Safe Attachments, and impersonation protection features in phishing policies.
License Requirements:
Exchange Online Protection, Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR
References
|
| DEF-SecScore-E3 | Secure Score | Technique Scores | T1534 | Internal Spearphishing |
Comments
Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.
Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.
To help you find the information you need more quickly, Microsoft recommended actions are organized into groups:
Identity (Microsoft Entra accounts & roles)
Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)
Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)
Data (through Microsoft Information Protection)
References
|
| DO365-SL-E3 | Safe Links | Technique Scores | T1534 | Internal Spearphishing |
Comments
Microsoft Defender for O365 Safe Links scanning protects your organization from malicious links that are used in phishing and other attacks. Safe Links provides URL scanning and rewriting of inbound email messages during mail flow, and time-of-click verification of URLs and links in email messages, Teams, and supported Office 365 apps.
Safe Links Detects Internal Spearphishing attacks due to Safe Links immediately checking the URL's before opening the websites. You can add entries to the existing policies or configure different lists in different Safe Links policies to determine if certain websites are necessary for business operations. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open.
License Requirements:
Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR
References
|
| DEF-Quarantine-E3 | Quarantine Policies | Technique Scores | T1534 | Internal Spearphishing |
Comments
In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.
Traditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.
The following M365 features are supported by quarantine policies, “Response” to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
License requirements: M365 E3 (or Defender for Office plan 1)
References
|
| DO365-PSP-E3 | Preset Security Policies | Technique Scores | T1534 | Internal Spearphishing |
Comments
M365 Preset security policies allow you to apply protection features to users based on Microsoft's recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on observations in Microsoft's datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions.
Preset Security Policies Detects Internal Spearphishing attacks due to all recipients in the organization receiving Safe Links and Safe Attachments with the Built-in protection profile by default. Safe Links immediately checking the URL's before opening the websites. You can add entries to the existing policies or configure different lists in different Safe Links policies to determine if certain websites are necessary for business operations. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open.
License Requirements:
Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR
References
|
| DO365-AS-E3 | Anti-Spoofing | Technique Scores | T1534 | Internal Spearphishing |
Comments
The anti-spoofing technology in Microsoft O365 specifically examines forgery of the From header in the message body, because that header value is the message sender that's shown in email clients. When EOP has high confidence that the From header is forged, the message is identified as spoofed. The following anti-spoofing technologies are available in Microsoft O365: email authentication, spoof intelligence insight, allow or block spoofed senders in the tenant allow/block List, anti-phishing policies, and spoof detections report
Microsoft O365's anti-spoofing technology detects Internal Spearphishing attacks due to spoof detections report, where users can view information about phishing attempts
License Requirements:
Microsoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR
References
|
| DEF-AIR-E5 | Automated Investigation and Response | Technique Scores | T1534 | Internal Spearphishing |
Comments
Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.
AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.
Required licenses
E5 or Microsoft Defender for Office 365 Plan 2 licenses.
References
|
| DO365-ATH-E5 | Advanced Threat Hunting | Technique Scores | T1534 | Internal Spearphishing |
Comments
Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.
Advanced Threat Hunting Detects Internal Spearphishing attacks due to the DeviceNetworkEvents table in the advanced hunting schema which contains information about network connections and related events which monitors network data for uncommon data flows
License Requirements:
Microsoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender for Office 365 plan 2
References
|
| DO365-AAP-E5 | Advanced Anti-phishing | Technique Scores | T1534 | Internal Spearphishing |
Comments
The Advanced Anti-phishing control includes features that can be used to Respond to unusual communication patterns that may indicate Internal Spearphishing. AAP for Defender for O365 supports impersonation protection, which provides multiple options in reaction to a detected impersonation attempt. For example, the ability to redirect the email to specified recipients, add new recipients as Bcc, send it to the Junk Email folder, place the message in quarantine, or even automatically delete it. This scores Partial in the Respond category for its ability to potentially contain the impact of or alert others to the need to remediate internal spearphishing attempts.
License Requirements:
Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)
References
|
| DO365-AAP-E5 | Advanced Anti-phishing | Technique Scores | T1534 | Internal Spearphishing |
Comments
The Advanced Anti-phishing control includes features that can be used to detect and warn users against unusual communication patterns that may indicate Internal Spearphishing. The first contact safety tip, which will report the first time a user gets a message from a sender, or if they often don’t get messages from that sender may alert users to suspicious communications from legitimate, but unexpected users in their organization. This scores Partial in the Detect category for its near real-time processing and indication of unexpected email communications. Detection of suspicious communication will not be equally accurate, depending on the accounts in question.
License Requirements:
Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)
References
|