T1566.003 Spearphishing via Service

Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.(Citation: Lookout Dark Caracal Jan 2018) These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.

A common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
DE.AE-02.01 Event analysis and detection Mitigates T1566.003 Spearphishing via Service
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
    PR.PS-01.01 Configuration baselines Mitigates T1566.003 Spearphishing via Service
    Comments
    This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
    References
      PR.PS-05.03 Email and message service protection Mitigates T1566.003 Spearphishing via Service
      Comments
      Anti-virus can also automatically quarantine suspicious files sent through messages via services, social media , personal webmail, etc.
      References
        PR.PS-05.01 Malware prevention Mitigates T1566.003 Spearphishing via Service
        Comments
        Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files and links, protecting against harmful files, websites, and downloads.
        References
          PR.PS-05.03 Email and message service protection Mitigates T1566.003 Spearphishing via Service
          Comments
          Anti-virus can also automatically quarantine suspicious files sent through messages via services, social media , personal webmail, etc.
          References
            DE.CM-01.05 Website and service blocking Mitigates T1566.003 Spearphishing via Service
            Comments
            This diagnostic statement provides for implementing tools and measures such as filtering messages and restricting certain websites or attachment types, which can help block phishing attempts.
            References
              PR.AA-01.01 Identity and credential management Mitigates T1566.003 Spearphishing via Service
              Comments
              This diagnostic statement protects against Spearphishing via Service through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
              References
                PR.PS-01.08 End-user device protection Mitigates T1566.003 Spearphishing via Service
                Comments
                This diagnostic statement protects against Spearphishing via Service through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
                References

                  NIST 800-53 Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  CA-07 Continuous Monitoring mitigates T1566.003 Spearphishing via Service
                  SC-44 Detonation Chambers mitigates T1566.003 Spearphishing via Service
                  SI-08 Spam Protection mitigates T1566.003 Spearphishing via Service
                  SI-02 Flaw Remediation mitigates T1566.003 Spearphishing via Service
                  SI-03 Malicious Code Protection mitigates T1566.003 Spearphishing via Service
                  SI-04 System Monitoring mitigates T1566.003 Spearphishing via Service
                  AC-04 Information Flow Enforcement mitigates T1566.003 Spearphishing via Service
                  AC-02 Account Management mitigates T1566.003 Spearphishing via Service
                  AC-06 Least Privilege mitigates T1566.003 Spearphishing via Service
                  SC-07 Boundary Protection mitigates T1566.003 Spearphishing via Service

                  VERIS Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1566.003 Spearphishing via Service
                  action.social.variety.Phishing Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. related-to T1566.003 Spearphishing via Service
                  action.social.vector.Email Email related-to T1566.003 Spearphishing via Service

                  AWS Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  amazon_guardduty Amazon GuardDuty technique_scores T1566.003 Spearphishing via Service
                  Comments
                  The domain associated with phishing can be delivered by various means these sub-techniques are added to the mapping and scoring of this Security service.
                  References