T1566.001 Spearphishing Attachment

Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution.(Citation: Unit 42 DarkHydrus July 2018) Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
DE.AE-02.01 Event analysis and detection Mitigates T1566.001 Spearphishing Attachment
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
    PR.PS-01.01 Configuration baselines Mitigates T1566.001 Spearphishing Attachment
    Comments
    This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
    References
      PR.PS-01.02 Least functionality Mitigates T1566.001 Spearphishing Attachment
      Comments
      This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
      References
        PR.AA-03.03 Email verification mechanisms Mitigates T1566.001 Spearphishing Attachment
        Comments
        This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication. Enabling mechanisms like, SPF and DKIM, add protection against adversaries that may send spearphishing emails with a malicious attachment.
        References
          PR.PS-05.01 Malware prevention Mitigates T1566.001 Spearphishing Attachment
          Comments
          Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files and links, protecting against harmful files, websites, and downloads.
          References
            DE.CM-01.01 Intrusion detection and prevention Mitigates T1566.001 Spearphishing Attachment
            Comments
            This diagnostic statement utilizes the tools such as network intrusion prevent systems to identify, scan and block malicious email attachments that can be clicked on by users in their emails. Also, anti-virus can be used to quarantine suspicious files.
            References
              PR.PS-05.03 Email and message service protection Mitigates T1566.001 Spearphishing Attachment
              Comments
              Network intrusion prevention techniques can be utilized to remove malicious email attachment or link to prevent/block activity where phishing messages can be sent to users.
              References
                DE.CM-01.05 Website and service blocking Mitigates T1566.001 Spearphishing Attachment
                Comments
                This diagnostic statement provides for implementing tools and measures such as filtering messages and restricting certain websites or attachment types, which can help block phishing attempts.
                References
                  PR.IR-01.03 Network communications integrity and availability Mitigates T1566.001 Spearphishing Attachment
                  Comments
                  This diagnostic statement protects against Spearphishing Attachment through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
                  References
                    PR.AA-01.01 Identity and credential management Mitigates T1566.001 Spearphishing Attachment
                    Comments
                    This diagnostic statement protects against Spearphishing Attachment through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
                    References
                      PR.PS-01.08 End-user device protection Mitigates T1566.001 Spearphishing Attachment
                      Comments
                      This diagnostic statement protects against Spearphishing Attachment through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
                      References

                        VERIS Mappings

                        Azure Mappings

                        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                        microsoft_antimalware_for_azure Microsoft Antimalware for Azure technique_scores T1566.001 Spearphishing Attachment
                        Comments
                        This control may quarantine and/or delete any spearphishing attachment that has been downloaded and matches a malware signature. Customized malware without a matching signature may not generate an alert.
                        References
                        microsoft_antimalware_for_azure Microsoft Antimalware for Azure technique_scores T1566.001 Spearphishing Attachment
                        Comments
                        This control may detect any spearphishing attachment that has been downloaded and matches a malware signature. Customized malware without a matching signature may not generate an alert.
                        References

                        GCP Mappings

                        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                        chrome_enterprise_premium Chrome Enterprise Premium technique_scores T1566.001 Spearphishing Attachment
                        Comments
                        Chrome Enterprise Premium can help identify and block malicious websites that might be phishing attempts through integrated data loss prevention (DLP) controls, advanced malware and phishing detection, and real-time threat analysis, essentially safeguarding sensitive data and preventing users from accessing malicious websites even when accessing the web from anywhere, including in a cloud environment.
                        References
                        virus_total Virus Total technique_scores T1566.001 Spearphishing Attachment
                        Comments
                        VirusTotal, now part of Google Cloud, provides threat context and reputation data to help analyze suspicious files, URLs, domains, and IP addresses to detect cybersecurity threats.
                        References

                        AWS Mappings

                        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                        amazon_guardduty Amazon GuardDuty technique_scores T1566.001 Spearphishing Attachment
                        Comments
                        The domain associated with phishing can be delivered by various means these sub-techniques are added to the mapping and scoring of this Security service.
                        References