Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., Email Hiding Rules).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools,(Citation: cyberproof-double-bounce) or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., "thread hijacking").(Citation: phishing-krebs)
Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., User Execution).(Citation: Unit42 Luna Moth)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.vector.Instant messaging | Instant Messaging | related-to | T1566 | Phishing | |
| action.social.variety.Phishing | Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. | related-to | T1566 | Phishing | |
| action.social.vector.Email | related-to | T1566 | Phishing |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| chrome_enterprise_premium | Chrome Enterprise Premium | technique_scores | T1566 | Phishing |
Comments
Chrome Enterprise Premium provides advanced protection against phishing attacks in the cloud by offering robust features like data loss prevention (DLP) controls, advanced malware and phishing detection, and real-time threat analysis, essentially safeguarding sensitive data and preventing users from accessing malicious websites even when accessing the web from anywhere, including in a cloud environment.
References
|
| chrome_enterprise_premium | Chrome Enterprise Premium | technique_scores | T1566 | Phishing |
Comments
Chrome Enterprise Premium can help identify and block malicious websites that might be phishing attempts through integrated data loss prevention (DLP) controls, advanced malware and phishing detection, and real-time threat analysis, essentially safeguarding sensitive data and preventing users from accessing malicious websites even when accessing the web from anywhere, including in a cloud environment.
References
|
| titan_security_key | Titan Security Key | technique_scores | T1566 | Phishing |
Comments
This control is able to mitigate against a variety of phishing attacks by requiring an additional key for authentication outside of the user's password. Compared to other forms of 2-factor authentication, this control will not allow for authentication to an illegitimate service or website as the key can not be transmitted from the hardware device to any other device.
References
|
| virus_total | Virus Total | technique_scores | T1566 | Phishing |
Comments
VirusTotal, now part of Google Cloud, provides threat context and reputation data to help analyze suspicious files, URLs, domains, and IP addresses to detect cybersecurity threats. This control can help mitigate adversaries that try to send malware via emails using malicious links or attachments. The malware-scanner service scans the uploaded document for malware.
If the document is infected, the service moves it to a quarantined bucket; otherwise the document is moved into another bucket that holds uninfected scanned documents.
References
|
| web_risk | Web Risk | technique_scores | T1566 | Phishing |
Comments
Web Risk allows client applications to check URLs against Google's list of unsafe web resources. It also can provide warnings when attempting to access potentially unsafe sites. However, Google cannot guarantee that its information is comprehensive and error-free: some risky sites may not be identified, and some safe sites may be classified in error. This has resulted in an overall score of Partial.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1566 | Phishing |
Comments
GuardDuty implements a finding type that flags/alerts when an EC2 service queries a Domain known to be tied to a phishing attack.
Trojan:EC2/PhishingDomainRequest!DNS
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1566.002 | Spearphishing Link | 9 |
| T1566.001 | Spearphishing Attachment | 7 |
| T1566.004 | Spearphishing Voice | 1 |
| T1566.003 | Spearphishing via Service | 3 |