Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via Phishing for Information, Phishing, or Internal Spearphishing) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims.
In many cases of business email compromise or email fraud campaigns, adversaries use impersonation to defraud victims – deceiving them into sending money or divulging information that ultimately enables Financial Theft.
Adversaries will often also use social engineering techniques such as manipulative and persuasive language in email subject lines and body text such as payment, request, or urgent to push the victim to act quickly before malicious activity is detected. These campaigns are often specifically targeted against people who, due to job roles and/or accesses, can carry out the adversary’s goal.
Impersonation is typically preceded by reconnaissance techniques such as Gather Victim Identity Information and Gather Victim Org Information as well as acquiring infrastructure such as email domains (i.e. Domains) to substantiate their false identity.(Citation: CrowdStrike-BEC)
There is the potential for multiple victims in campaigns involving impersonation. For example, an adversary may Compromise Accounts targeting one organization which can then be used to support impersonation against other entities.(Citation: VEC)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| EOP-AntiSpam-E3 | AntiSpam | Technique Scores | T1656 | Impersonation |
Comments
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP.
To help reduce junk email, EOP includes junk email protection that uses proprietary spam filtering (also known as content filtering) technologies to identify and separate junk email from legitimate email. EOP spam filtering learns from known spam and phishing threats and user feedback from our consumer platform.
License requirements: M365 E3
References
|
| EOP-AP-E3 | Anti-Phishing | Technique Scores | T1656 | Impersonation |
Comments
Policies to configure anti-phishing protection settings are available in Microsoft 365 organizations with Exchange Online mailboxes, standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, and Microsoft Defender for Office 365 organizations. The features provided with Anti-phishing policies in Defender for Office 365 are: Automatically creating default policies, creating custom policies, common policy settings, spoof settings, first contact safety tips, impersonation settings, and advanced phishing thresholds.
Microsoft 365's Anti-Phishing protection protects from Phishing attacks due to it's custom policy feature where users can create policies to determine if certain websites used for phishing are necessary for business operations and can block access if activity cannot be monitored well or if it poses a significant risk.
License Requirements:
Microsoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR
References
|
| M365-DEF-ZAP-E3 | Zero Hour Auto Purge | Technique Scores | T1656 | Impersonation |
Comments
Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.
License Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security.
References
|
| DO365-TPSR-E3 | Threat Protection Status Report | Technique Scores | T1656 | Impersonation |
Comments
Threat protection status report is a single view that brings together information about malicious content and malicious email detected and blocked by Exchange Online Protection (EOP) and Defender for Office 365. The report provides the count of email messages with malicious content. For example: Files or website addresses (URLs) that were blocked by the anti-malware engine, Files or messages affected by zero-hour auto purge (ZAP), Files or messages that were blocked by Defender for Office 365 features: Safe Links, Safe Attachments, and impersonation protection features in anti-phishing policies.
Threat Protection Status Report Detects Impersonation attacks by the report capturing and displaying files or messages that were blocked by Safe Links, Safe Attachments, and impersonation protection features in phishing policies.
License Requirements:
Exchange Online Protection, Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR
References
|
| DO365-TE-E5 | Threat Explorer | Technique Scores | T1656 | Impersonation |
Comments
Threat Explorer helps your security operations team investigate and respond to threats efficiently. With these tools, you can: See malware detected by Microsoft 365 security features, View phishing URL and click verdict data, Start an automated investigation and response process from a view in Explorer, Investigate malicious email, and more.
Threat Explorer Detects Impersonation attacks by their dashboard capturing and enabling the user to view phishing attempts, including a list of URLs that were allowed, blocked, and overridden. With an organization blocking URL's for users, it mitigates users visiting a website that is used to host the adversary controlled content.
License Requirements:
Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR
References
|
| DEF-SecScore-E3 | Secure Score | Technique Scores | T1656 | Impersonation |
Comments
Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.
Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.
To help you find the information you need more quickly, Microsoft recommended actions are organized into groups:
Identity (Microsoft Entra accounts & roles)
Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)
Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)
Data (through Microsoft Information Protection)
References
|
| DEF-Quarantine-E3 | Quarantine Policies | Technique Scores | T1656 | Impersonation |
Comments
In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.
Traditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.
The following M365 features are supported by quarantine policies, “Response” to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
License requirements: M365 E3 (or Defender for Office plan 1)
References
|
| DO365-PSP-E3 | Preset Security Policies | Technique Scores | T1656 | Impersonation |
Comments
M365 Preset security policies allow you to apply protection features to users based on Microsoft's recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on observations in Microsoft's datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions.
Preset Security Policies Detects Impersonation attacks due to all recipients in the organization receiving Safe Links and Safe Attachments with the Built-in protection profile by default. Safe Links immediately checks the URL's before opening the websites. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open.
License Requirements:
Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR
References
|
| DO365-AS-E3 | Anti-Spoofing | Technique Scores | T1656 | Impersonation |
Comments
The anti-spoofing technology in Microsoft O365 specifically examines forgery of the From header in the message body, because that header value is the message sender that's shown in email clients. When EOP has high confidence that the From header is forged, the message is identified as spoofed. The following anti-spoofing technologies are available in Microsoft O365: email authentication, spoof intelligence insight, allow or block spoofed senders in the tenant allow/block List, anti-phishing policies, and spoof detections report
Microsoft O365's anti-spoofing technology protects from Impersonation attacks due to impersonation protection provided with anti-phishing policies.
License Requirements:
Microsoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR
References
|
| DEF-AIR-E5 | Automated Investigation and Response | Technique Scores | T1656 | Impersonation |
Comments
Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.
AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.
Required licenses
E5 or Microsoft Defender for Office 365 Plan 2 licenses.
References
|
| DO365-AAP-E5 | Advanced Anti-phishing | Technique Scores | T1656 | Impersonation |
Comments
The Advanced Anti-phishing control includes several mechanisms that can be used to respond to malicious emails detected that may be part of Impersonation using email communications. Responses include the ability to automatically move suspicious messages to the Junk Email, but additional settings also exist that allow a message to be quarantined or rejected. Spoof settings also allow for different quarantine policies, which define how users can interact with these messages. This scores Minimal for the Respond category, due to relatively low or no coverage against the scope of the Impersonation technique and its example procedures.
License Requirements:
Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)
References
|
| DO365-AAP-E5 | Advanced Anti-phishing | Technique Scores | T1656 | Impersonation |
Comments
The Advanced Anti-phishing control includes several mechanisms that can detect and warn a user against suspicious emails and reduce the likelihood of the user falling victim to suspicious email communications resulting from Impersonation. Detections include implicit email authentication, which include unauthenticated sender indicators that warn the user of potential email spoofing based on SPF or DMARC checks, and first contact safety tip, which will report the first time a user gets a message from a sender, or if they often don’t get messages from that sender. This scores Minimal for the Detect category, due to relatively low or no coverage against the scope of the Impersonation technique and its example procedures. However, against specific email-based implementations, coverage will be near real-time and high for the criteria covered.
License Requirements:
Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)
References
|
| DO365-AAP-E5 | Advanced Anti-phishing | Technique Scores | T1656 | Impersonation |
Comments
The Advanced Anti-phishing control includes configurable policies that control anti-phishing protection settings that can help protect in the event of business email compromise and email fraud campaigns, which may help protect against some methods of Impersonation. These protection policies are configurable across different user groups, and can be tied to Actions designed to help organizations Respond to the suspicious messages. This scores Minimal in the Protect category given the ability to flag potentially malicious emails provides relatively low or no coverage against the scope of the Impersonation technique and its example procedures.
License Requirements:
Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)
References
|