Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., Email Hiding Rules).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce)
Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., User Execution).(Citation: Unit42 Luna Moth)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-ptt | Intel Platform Trust Technology | Win 11, ESS/Hello | T1566 | Phishing |
Comments
Windows Hello ESS authentication leverages virtual sandbox(Intel VT-X) to protect authentication data to significantly reduce the risk of brute force attacks on passwords, as biometrics typically require physical presence or biometric data that cannot be easily guessed or replicated. It uses the TPM (Intel PTT) to store authentication data including public/private key pairs. Windows Hello also includes Passkeys, a passwordless authentication option that generates public/private key pair with the public key shared with the service requiring authentication and the private key stored in the TPM, which is only released after authentication locally on the device using either a biometric factor such as fingerprint, facial recognition, or a PIN. Windows Hello helps protect against the risk of credentials being stored in files by eliminating the need for passwords in many authentication scenarios.
Passkeys are not phishable like traditional passwords. When using Windows Hello, users authenticate with biometrics (face, fingerprint) or a PIN, which are not transmitted over the network and cannot be intercepted by phishing attacks.
Windows Hello generates a unique key pair for each relying party (e.g., websites, services). This means even if one key is compromised, it cannot be used to access other services. Phishing techniques are more related to social engineering and still may be possible, hence marked as Partial.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1566.001 | Spearphishing Attachment | 1 |