Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from Phishing in that the objective is gathering data from the victim rather than executing malicious code.
All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.
Adversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Victims may also receive phishing messages that direct them to call a phone number where the adversary attempts to collect confidential information.(Citation: Avertium callback phishing)
Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages. Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce)
Phishing for information may also involve evasive techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., Email Hiding Rules).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1598 | Phishing for Information |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.02 | Least functionality | Mitigates | T1598 | Phishing for Information |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
| PR.AA-03.03 | Email verification mechanisms | Mitigates | T1598 | Phishing for Information |
Comments
This diagnostic statement provides protection from phishing attacks through the implementation of software configuration methods, such as anti-spoofing and email authentication. Enabling mechanisms like, SPF and DKIM, add protection against adversaries that may send phishing messages through the form of emails, instant messages, etc. to gain sensitive information.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1598 | Phishing for Information |
Comments
This diagnostic statement provides protection from Phishing for Information through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration that uses anti-spoofing, email authentication mechanisms, encryption of credential data, and integrity checking can help protect against adversaries attempting to gather information.
References
|
| PR.PS-05.03 | Email and message service protection | Mitigates | T1598 | Phishing for Information |
Comments
Certain software configuration techniques can be utilized to detect and isolate spearphishing messages found with malicious attachments.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1598 | Phishing for Information | |
| CM-06 | Configuration Settings | mitigates | T1598 | Phishing for Information | |
| IA-09 | Service Identification and Authentication | mitigates | T1598 | Phishing for Information | |
| SC-20 | Secure Name/Address Resolution Service (Authoritative Source) | mitigates | T1598 | Phishing for Information | |
| SC-44 | Detonation Chambers | mitigates | T1598 | Phishing for Information | |
| SI-08 | Spam Protection | mitigates | T1598 | Phishing for Information | |
| SI-03 | Malicious Code Protection | mitigates | T1598 | Phishing for Information | |
| CM-02 | Baseline Configuration | mitigates | T1598 | Phishing for Information | |
| SI-04 | System Monitoring | mitigates | T1598 | Phishing for Information | |
| AC-04 | Information Flow Enforcement | mitigates | T1598 | Phishing for Information | |
| SC-07 | Boundary Protection | mitigates | T1598 | Phishing for Information |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| web_risk | Web Risk | technique_scores | T1598 | Phishing for Information |
Comments
Web Risk allows client applications to check URLs against Google's list of unsafe web resources. It also can provide warnings when attempting to access potentially unsafe sites. However, Google cannot guarantee that its information is comprehensive and error-free: some risky sites may not be identified, and some safe sites may be classified in error. This has resulted in an overall score of Partial.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DEF-SATT-E3 | Safe Attachments | Technique Scores | T1598 | Phishing for Information |
Comments
M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm.
License requirements:
Mirosoft 365 E5, Defender for Office Plan 1, Microsoft 365 E3 with ATP add-on
References
|
| DEF-SATT-E3 | Safe Attachments | Technique Scores | T1598 | Phishing for Information |
Comments
M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm.
License requirements:
Mirosoft 365 E5, Defender for Office Plan 1, Microsoft 365 E3 with ATP add-on
References
|
| DEF-SIMT-E5 | ATT&CK Simulation Training | Technique Scores | T1598 | Phishing for Information |
Comments
M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule. This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities.
The following social engineering techniques are available:
Credential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.
Malware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.
Link in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.
Link to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.
Drive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.
OAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.
License Requirements:
Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2.
References
|
| DEF-SIMT-E5 | ATT&CK Simulation Training | Technique Scores | T1598 | Phishing for Information |
Comments
M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule. This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities.
The following social engineering techniques are available:
Credential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.
Malware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.
Link in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.
Link to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.
Drive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.
OAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.
License Requirements:
Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1598.003 | Spearphishing Link | 24 |
| T1598.004 | Spearphishing Voice | 6 |
| T1598.002 | Spearphishing Attachment | 21 |
| T1598.001 | Spearphishing Service | 9 |