Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.
All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, hxxp://google.com@1157586937.(Citation: Mandiant URL Obfuscation 2023)
Adversaries may also link to "web bugs" or "web beacons" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug)
Adversaries may also be able to spoof a complete website using what is known as a "browser-in-the-browser" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022)
Adversaries can use phishing kits such as EvilProxy and Evilginx2 to proxy the connection between the victim and the legitimate website. On a successful login, the victim is redirected to the legitimate website, while the adversary captures their session cookie (i.e., Steal Web Session Cookie) in addition to their username and password. This may enable the adversary to then bypass MFA via Web Session Cookie.(Citation: Proofpoint Human Factor)
From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: Search Open Websites/Domains or Search Victim-Owned Websites) to craft persuasive and believable lures.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-04 | Information Flow Enforcement | Protects | T1598.003 | Spearphishing Link | |
| CA-07 | Continuous Monitoring | Protects | T1598.003 | Spearphishing Link | |
| CM-02 | Baseline Configuration | Protects | T1598.003 | Spearphishing Link | |
| CM-06 | Configuration Settings | Protects | T1598.003 | Spearphishing Link | |
| IA-09 | Service Identification and Authentication | Protects | T1598.003 | Spearphishing Link | |
| SC-20 | Secure Name/address Resolution Service (authoritative Source) | Protects | T1598.003 | Spearphishing Link | |
| SC-44 | Detonation Chambers | Protects | T1598.003 | Spearphishing Link | |
| SC-07 | Boundary Protection | Protects | T1598.003 | Spearphishing Link | |
| SI-03 | Malicious Code Protection | Protects | T1598.003 | Spearphishing Link | |
| SI-04 | System Monitoring | Protects | T1598.003 | Spearphishing Link | |
| SI-08 | Spam Protection | Protects | T1598.003 | Spearphishing Link |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DEF-IR-E5 | Incident Response | Technique Scores | T1598.003 | Spearphishing Link |
Comments
An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.
Microsoft 365 Defender Incident Response responds to spearphishing link attacks due to its phishing Incident Response playbook which monitors for messaging, and/or other artifacts that may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
License Requirements:
Microsoft Defender XDR
References
|