1. Home
  2. ATT&CK Techniques
  3. T1598 Phishing for Information

T1598 Phishing for Information

Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from Phishing in that the objective is gathering data from the victim rather than executing malicious code.

All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.

Adversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Victims may also receive phishing messages that direct them to call a phone number where the adversary attempts to collect confidential information.(Citation: Avertium callback phishing)

Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages. Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce)

Phishing for information may also involve evasive techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., Email Hiding Rules).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-01.01 Configuration baselines Mitigates T1598 Phishing for Information
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
    PR.PS-01.02 Least functionality Mitigates T1598 Phishing for Information
    Comments
    This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
    References
      PR.AA-03.03 Email verification mechanisms Mitigates T1598 Phishing for Information
      Comments
      This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication. Enabling mechanisms like, SPF and DKIM, add protection against adversaries that may send phishing messages through the form of emails, instant messages, etc. to gain sensitive information.
      References
        PR.PS-05.03 Email and message service protection Mitigates T1598 Phishing for Information
        Comments
        Certain software configuration techniques can be utilized to detect and isolate spearphishing messages found with malicious attachments.
        References
          PR.PS-01.03 Configuration deviation Mitigates T1598 Phishing for Information
          Comments
          This diagnostic statement provides protection from Phishing for Information through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration that uses anti-spoofing, email authentication mechanisms, encryption of credential data, and integrity checking can help protect against adversaries attempting to gather information.
          References
            PR.PS-05.03 Email and message service protection Mitigates T1598 Phishing for Information
            Comments
            Certain software configuration techniques can be utilized to detect and isolate spearphishing messages found with malicious attachments.
            References

              NIST 800-53 Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              CA-07 Continuous Monitoring mitigates T1598 Phishing for Information
              CM-06 Configuration Settings mitigates T1598 Phishing for Information
              IA-09 Service Identification and Authentication mitigates T1598 Phishing for Information
              SC-20 Secure Name/Address Resolution Service (Authoritative Source) mitigates T1598 Phishing for Information
              SC-44 Detonation Chambers mitigates T1598 Phishing for Information
              SI-08 Spam Protection mitigates T1598 Phishing for Information
              SI-03 Malicious Code Protection mitigates T1598 Phishing for Information
              CM-02 Baseline Configuration mitigates T1598 Phishing for Information
              SI-04 System Monitoring mitigates T1598 Phishing for Information
              AC-04 Information Flow Enforcement mitigates T1598 Phishing for Information
              SC-07 Boundary Protection mitigates T1598 Phishing for Information

              VERIS Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              action.social.variety.Phishing Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. related-to T1598 Phishing for Information
              action.social.variety.Pretexting Pretexting (dialogue leveraging invented scenario). Unlike 'Phishing', does not transfer data. (A fraudulent transfer or changing a bank account on a business account is not really disclosing data. related-to T1598 Phishing for Information

              GCP Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              web_risk Web Risk technique_scores T1598 Phishing for Information
              Comments
              Web Risk allows client applications to check URLs against Google's list of unsafe web resources. It also can provide warnings when attempting to access potentially unsafe sites. However, Google cannot guarantee that its information is comprehensive and error-free: some risky sites may not be identified, and some safe sites may be classified in error. This has resulted in an overall score of Partial.
              References
              1. ['https://cloud.google.com/web-risk/docs/overview']

              ATT&CK Subtechniques

              Technique ID Technique Name Number of Mappings
              T1598.003 Spearphishing Link 24
              T1598.004 Spearphishing Voice 5
              T1598.002 Spearphishing Attachment 18
              T1598.001 Spearphishing Service 9