T1598 Phishing for Information Mappings

Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from Phishing in that the objective is gathering data from the victim rather than executing malicious code.

All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.

Adversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Victims may also receive phishing messages that direct them to call a phone number where the adversary attempts to collect confidential information.(Citation: Avertium callback phishing)

Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages. Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce)

Phishing for information may also involve evasive techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., Email Hiding Rules).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-04 Information Flow Enforcement Protects T1598 Phishing for Information
CA-07 Continuous Monitoring Protects T1598 Phishing for Information
CM-02 Baseline Configuration Protects T1598 Phishing for Information
CM-06 Configuration Settings Protects T1598 Phishing for Information
IA-09 Service Identification and Authentication Protects T1598 Phishing for Information
SC-20 Secure Name/address Resolution Service (authoritative Source) Protects T1598 Phishing for Information
SC-44 Detonation Chambers Protects T1598 Phishing for Information
SC-07 Boundary Protection Protects T1598 Phishing for Information
SI-03 Malicious Code Protection Protects T1598 Phishing for Information
SI-04 System Monitoring Protects T1598 Phishing for Information
SI-08 Spam Protection Protects T1598 Phishing for Information
DEF-SA-E3 Safe Attachments Technique Scores T1598 Phishing for Information
DEF-SA-E3 Safe Attachments Technique Scores T1598 Phishing for Information
DEF-SIM-E5 ATT&CK Simulation Training Technique Scores T1598 Phishing for Information
DEF-SIM-E5 ATT&CK Simulation Training Technique Scores T1598 Phishing for Information

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1598.003 Spearphishing Link 12
T1598.004 Spearphishing Voice 1
T1598.002 Spearphishing Attachment 14
T1598.001 Spearphishing Service 7