Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.
All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.(Citation: Lookout Dark Caracal Jan 2018) These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.
A common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1566.003 | Spearphishing via Service |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1566.003 | Spearphishing via Service |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1566.003 | Spearphishing via Service |
Comments
Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files and links, protecting against harmful files, websites, and downloads.
References
|
| PR.PS-05.03 | Email and message service protection | Mitigates | T1566.003 | Spearphishing via Service |
Comments
Anti-virus can also automatically quarantine suspicious files sent through messages via services, social media , personal webmail, etc.
References
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1566.003 | Spearphishing via Service |
Comments
This diagnostic statement provides for implementing tools and measures such as filtering messages and restricting certain websites or attachment types, which can help block phishing attempts.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1566.003 | Spearphishing via Service |
Comments
This diagnostic statement protects against Spearphishing via Service through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1566.003 | Spearphishing via Service |
Comments
This diagnostic statement protects against Spearphishing via Service through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1566.003 | Spearphishing via Service | |
| SC-44 | Detonation Chambers | mitigates | T1566.003 | Spearphishing via Service | |
| SI-08 | Spam Protection | mitigates | T1566.003 | Spearphishing via Service | |
| SI-02 | Flaw Remediation | mitigates | T1566.003 | Spearphishing via Service | |
| SI-03 | Malicious Code Protection | mitigates | T1566.003 | Spearphishing via Service | |
| SI-04 | System Monitoring | mitigates | T1566.003 | Spearphishing via Service | |
| AC-04 | Information Flow Enforcement | mitigates | T1566.003 | Spearphishing via Service | |
| AC-02 | Account Management | mitigates | T1566.003 | Spearphishing via Service | |
| AC-06 | Least Privilege | mitigates | T1566.003 | Spearphishing via Service | |
| SC-07 | Boundary Protection | mitigates | T1566.003 | Spearphishing via Service |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1566.003 | Spearphishing via Service |
Comments
The domain associated with phishing can be delivered by various means these sub-techniques are added to the mapping and scoring of this Security service.
References
|