T1566.001 Spearphishing Attachment

This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.

This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.

This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.

This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication. Enabling mechanisms like, SPF and DKIM, add protection against adversaries that may send spearphishing emails with a malicious attachment.

Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files and links, protecting against harmful files, websites, and downloads.

This diagnostic statement utilizes the tools such as network intrusion prevent systems to identify, scan and block malicious email attachments that can be clicked on by users in their emails. Also, anti-virus can be used to quarantine suspicious files.

Network intrusion prevention techniques can be utilized to remove malicious email attachment or link to prevent/block activity where phishing messages can be sent to users.

This diagnostic statement provides for implementing tools and measures such as filtering messages and restricting certain websites or attachment types, which can help block phishing attempts.

This diagnostic statement protects against Spearphishing Attachment through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.

This diagnostic statement protects against Spearphishing Attachment through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Spearphishing Attachment through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.

This vulnerability is exploited using a malicious-crafted word document attached to spearphishing emails. Adversaries have been seen to leverage this to install exploit code from their command & control server. This malware then performs data collection on the target systems.

Attackers can double-archive malicious payloads with 7-Zip to bypass Windows's Mark-of-the-Web security feature, further allowing the bypassing of Microsoft Defender SmartScreen. This allows attackers to disseminate these payloads via methods like email attachments, which would normally be subject to additional scrutiny by the service's protective measures. This flaw was patched in 7-Zip version 24.09.

CVE-2022-41033 is exploited by an attacker who has obtained access to the target system. The vulnerability lies in the Windows COM+ Event System Service, due to improper handling of privilege escalation scenarios. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system commands, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves pairing the elevation of privilege vulnerability with other code-execution exploits, often through social engineering tactics such as enticing a user to open a malicious attachment or visit a harmful website. Once the vulnerability is exploited, attackers can manipulate system privileges to perform arbitrary actions with SYSTEM-level permissions. This allows them to achieve their objectives, such as installing programs, viewing or changing data, and creating new accounts with full user rights.

By manipulating the working directory of Windows processes, attackers can utilize these valid processes and trick them into running arbitrary code from a WebDAV server. This has been done by using a phishing email with a malicious PDF document attached, leading to code execution, the creation of backdoors, the introduction of a keylogger onto the system, and data exfiltration via C2.

CVE-2020-0688 exists in Microsoft Office, which is prone to a memory corruption vulnerability allowing an attacker to run arbitrary code if unpatched, in the context of the current user, by failing to properly handle objects in memory. Cyber actors continued to exploit this vulnerability in Microsoft Office. The vulnerability is ideal for phishing campaigns, and it enables RCE on vulnerable systems.

This vulnerability is exploited via a maliciously-crafted pdf delivered as an email attachment.

CVE-2023-2868 in the Barracuda Email Security Gateway (ESG) had been reportedly exploited for espionage and exfiltration efforts by UNC4841 attributed by Mandiant. Following the exploitation of CVE-2023-2868, malware SALTWATER, SEASPY, and SEASIDE were identified to be used in intrusions.

This control may quarantine and/or delete any spearphishing attachment that has been downloaded and matches a malware signature. Customized malware without a matching signature may not generate an alert.

This control may detect any spearphishing attachment that has been downloaded and matches a malware signature. Customized malware without a matching signature may not generate an alert.

Chrome Enterprise Premium can help identify and block malicious websites that might be phishing attempts through integrated data loss prevention (DLP) controls, advanced malware and phishing detection, and real-time threat analysis, essentially safeguarding sensitive data and preventing users from accessing malicious websites even when accessing the web from anywhere, including in a cloud environment.

VirusTotal, now part of Google Cloud, provides threat context and reputation data to help analyze suspicious files, URLs, domains, and IP addresses to detect cybersecurity threats.

The domain associated with phishing can be delivered by various means these sub-techniques are added to the mapping and scoring of this Security service.

Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are: Viruses that infect other programs and data, and spread through your computer or network looking for programs to infect. Spyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author. Ransomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware. EOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection: Layered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine. Real-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks. Fast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour. License Requirements: M365 E3 or Microsoft Defender for Office plan 1.

In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages. Traditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware. The following M365 features are supported by quarantine policies, “Response” to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. License requirements: M365 E3 (or Defender for Office plan 1)

Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing. License Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security.

Policies to configure anti-phishing protection settings are available in Microsoft 365 organizations with Exchange Online mailboxes, standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, and Microsoft Defender for Office 365 organizations. The features provided with Anti-phishing policies in Defender for Office 365 are: Automatically creating default policies, creating custom policies, common policy settings, spoof settings, first contact safety tips, impersonation settings, and advanced phishing thresholds. Microsoft 365's Anti-Phishing protection protects from Phishing attacks due to it's custom policy feature where users can create policies to determine if certain websites used for phishing are necessary for business operations and can block access if activity cannot be monitored well or if it poses a significant risk. License Requirements: Microsoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR

M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. License requirements: Mirosoft 365 E5, Defender for Office Plan 1, Microsoft 365 E3 with ATP add-on

M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. License requirements: Mirosoft 365 E5, Defender for Office Plan 1, Microsoft 365 E3 with ATP add-on

Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help. AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc. Required licenses E5 or Microsoft Defender for Office 365 Plan 2 licenses.

Entra MFA can provide partial security protection against phishing tactics. It is a security measure that adds an extra layer of protection against phishing attacks by requiring users to verify their identity through more than one method.

M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule. This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. The following social engineering techniques are available: Credential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password. Malware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device. Link in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest. Link to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device. Drive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device. OAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application. License Requirements: Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2.

M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule. This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. The following social engineering techniques are available: Credential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password. Malware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device. Link in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest. Link to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device. Drive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device. OAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application. License Requirements: Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2.

M365 Preset security policies allow you to apply protection features to users based on Microsoft's recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on observations in Microsoft's datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions. Preset Security Policies Detects Spearphishing Attachment attacks due to the Built-in protection preset security policy providing Safe Attachments protection to all recipients. Safe Attachments uses a virtual environment to check attachments in email messages before they're delivered to recipients (a process known as detonation). License Requirements: Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR

Threat Explorer helps your security operations team investigate and respond to threats efficiently. With these tools, you can: See malware detected by Microsoft 365 security features, View phishing URL and click verdict data, Start an automated investigation and response process from a view in Explorer, Investigate malicious email, and more. Threat Explorer Detects Spearphishing Attachment attacks by using Threat Explorer's System Override feature. The File extension blocked by org policy value, enables An organization's security team to block a file name extension through the anti-malware policy settings. These values will now be displayed in email details to help with investigations. Secops teams can also use the rich-filtering capability to filter on blocked file extensions. License Requirements: Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR

Threat protection status report is a single view that brings together information about malicious content and malicious email detected and blocked by Exchange Online Protection (EOP) and Defender for Office 365. The report provides the count of email messages with malicious content. For example: Files or website addresses (URLs) that were blocked by the anti-malware engine, Files or messages affected by zero-hour auto purge (ZAP), Files or messages that were blocked by Defender for Office 365 features: Safe Links, Safe Attachments, and impersonation protection features in anti-phishing policies. Threat Protection Status Report Detects Spearphishing Attachment attacks by the report capturing and displaying files or messages that were blocked by Safe Links, Safe Attachments, and impersonation protection features in phishing policies. License Requirements: Exchange Online Protection, Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR

The Advanced Anti-phishing control includes several mechanisms that can be used to respond to malicious emails targeting users with Spearphishing Attachments. Responses include the ability to automatically move suspicious messages to the Junk Email, but additional settings also exist that allow a message to be quarantined or rejected. Spoof settings also allow for different quarantine policies, which define how users can interact with these messages. This scores Partial for the Respond category for its ability to contain, possibly quarantine and limit user interaction with flagged emails. Note the response will be insufficient in the event a user interacts with and executes the malicious Spearphishing attachment. License Requirements: Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)

The Advanced Anti-phishing control includes several mechanisms that can detect and warn a user against suspicious emails and reduce the likelihood of the user falling victim to malicious emails with Spearphishing Attachments. Detections include implicit email authentication, which include unauthenticated sender indicators that warn the user of potential email spoofing based on SPF or DMARC checks, and first contact safety tip, which will report the first time a user gets a message from a sender, or if they often don’t get messages from that sender. This scores Significant for the Detect category, for its high coverage against email coming emails, near real-time processing of new emails, and fairly accurate detection rates. Note that AAP is focused on detecting malicious emails, not the processing and analysis of attachments. License Requirements: Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)

The Advanced Anti-phishing control includes configurable policies that control anti-phishing protection settings that can help protect users by filtering out and even blocking suspicious emails, and reduce the likelihood of the user falling victim to malicious emails with Spearphishing Attachments. These protection policies are configurable across different user groups, and can be tied to Actions designed to help organizations Respond to the suspicious messages. This scores Partial in the Protect category for its ability to minimize, filter, and flag potentially malicious emails end users receive. However, it should be noted that the AAP control on its own may not further protect against a user proceeding to interact with malicious attachments in a flagged email, depending on how an organization configures follow up Actions and how a user may interact with the message. License Requirements: Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP. To help reduce junk email, EOP includes junk email protection that uses proprietary spam filtering (also known as content filtering) technologies to identify and separate junk email from legitimate email. EOP spam filtering learns from known spam and phishing threats and user feedback from our consumer platform. License requirements: M365 E3

The Threat Tracker control includes noteworthy trackers, which highlights newly detected malicious files found with Safe Attachments, that may alert on malicious Spearphishing Attachments. Specifically, noteworthy trackers will highlight malicious files that were not previously found by Microsoft in your email flow or in other customers’ emails. This scores Partial for Detection, for the ability to highlight potential new threats , although it is the Safe Attachments control that denotes and analyzes email attachments to begin with. License Requirements: Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)