Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution.(Citation: Unit 42 DarkHydrus July 2018) Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1566.001 | Spearphishing Attachment |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1566.001 | Spearphishing Attachment |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.02 | Least functionality | Mitigates | T1566.001 | Spearphishing Attachment |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
| PR.AA-03.03 | Email verification mechanisms | Mitigates | T1566.001 | Spearphishing Attachment |
Comments
This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication. Enabling mechanisms like, SPF and DKIM, add protection against adversaries that may send spearphishing emails with a malicious attachment.
References
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1566.001 | Spearphishing Attachment |
Comments
Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files and links, protecting against harmful files, websites, and downloads.
References
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1566.001 | Spearphishing Attachment |
Comments
This diagnostic statement utilizes the tools such as network intrusion prevent systems to identify, scan and block malicious email attachments that can be clicked on by users in their emails. Also, anti-virus can be used to quarantine suspicious files.
References
|
| PR.PS-05.03 | Email and message service protection | Mitigates | T1566.001 | Spearphishing Attachment |
Comments
Network intrusion prevention techniques can be utilized to remove malicious email attachment or link to prevent/block activity where phishing messages can be sent to users.
References
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1566.001 | Spearphishing Attachment |
Comments
This diagnostic statement provides for implementing tools and measures such as filtering messages and restricting certain websites or attachment types, which can help block phishing attempts.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1566.001 | Spearphishing Attachment |
Comments
This diagnostic statement protects against Spearphishing Attachment through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1566.001 | Spearphishing Attachment |
Comments
This diagnostic statement protects against Spearphishing Attachment through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1566.001 | Spearphishing Attachment |
Comments
This diagnostic statement protects against Spearphishing Attachment through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | technique_scores | T1566.001 | Spearphishing Attachment |
Comments
This control may quarantine and/or delete any spearphishing attachment that has been downloaded and matches a malware signature. Customized malware without a matching signature may not generate an alert.
References
|
| microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | technique_scores | T1566.001 | Spearphishing Attachment |
Comments
This control may detect any spearphishing attachment that has been downloaded and matches a malware signature. Customized malware without a matching signature may not generate an alert.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| chrome_enterprise_premium | Chrome Enterprise Premium | technique_scores | T1566.001 | Spearphishing Attachment |
Comments
Chrome Enterprise Premium can help identify and block malicious websites that might be phishing attempts through integrated data loss prevention (DLP) controls, advanced malware and phishing detection, and real-time threat analysis, essentially safeguarding sensitive data and preventing users from accessing malicious websites even when accessing the web from anywhere, including in a cloud environment.
References
|
| virus_total | Virus Total | technique_scores | T1566.001 | Spearphishing Attachment |
Comments
VirusTotal, now part of Google Cloud, provides threat context and reputation data to help analyze suspicious files, URLs, domains, and IP addresses to detect cybersecurity threats.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1566.001 | Spearphishing Attachment |
Comments
The domain associated with phishing can be delivered by various means these sub-techniques are added to the mapping and scoring of this Security service.
References
|