Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution.(Citation: Unit 42 DarkHydrus July 2018) Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
intel-pt | Intel Process Trace | Crowdstrike HEED | T1566.001 | Spearphishing Attachment |
Comments
CrowdStrike Falcon Hardware Enhanced Exploit Detection (HEED) is an advanced security feature that integrates Intel Processor Trace (Intel PT) technology to provide enhanced visibility into sophisticated attack techniques, including real-time detection of exploits delivered via spearphishing attachments. These attacks often involve adversaries exploiting vulnerabilities within applications or services to execute malicious code once a user interacts with a compromised attachment, enabling attackers to manipulate system behavior and compromise security.
Intel PT offers deep insights into program execution at the hardware level, capturing critical telemetry such as control flow, memory access, and instruction execution in real time. This detailed telemetry helps security teams detect abnormal behaviors, such as suspicious execution flows or unexpected interactions triggered by malicious attachments, as well as attempts to hijack legitimate processes. By monitoring these low-level activities, HEED makes it easier to identify exploitation attempts that are often used in spearphishing campaigns to gain unauthorized access or deploy malware.
By combining Intel PT’s granular telemetry with advanced detection algorithms, HEED provides a powerful defense against evasive spearphishing attacks that may bypass traditional security measures. This proactive approach enables organizations to quickly identify and mitigate exploits delivered through malicious attachments, strengthening the protection of critical systems and reducing the risk of compromise from advanced, targeted cyber threats.
References
|