Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.
All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging User Execution. The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to Steal Application Access Tokens, like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
AC-4 | Information Flow Enforcement | Protects | T1566.002 | Spearphishing Link | |
CA-7 | Continuous Monitoring | Protects | T1566.002 | Spearphishing Link | |
SC-44 | Detonation Chambers | Protects | T1566.002 | Spearphishing Link | |
SC-7 | Boundary Protection | Protects | T1566.002 | Spearphishing Link | |
SI-3 | Malicious Code Protection | Protects | T1566.002 | Spearphishing Link | |
SI-4 | System Monitoring | Protects | T1566.002 | Spearphishing Link | |
SI-8 | Spam Protection | Protects | T1566.002 | Spearphishing Link |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
azure_defender_for_app_service | Azure Defender for App Service | technique_scores | T1566.002 | Spearphishing Link |
Comments
This control monitors for known phishing links on the Azure App Services website and generates alerts if they are detected, potentially preventing their access by users. This is a very specific avenue, only covers known links, and temporal factor is unknown, resulting in a Minimal score.
References
|
azure_dns_analytics | Azure DNS Analytics | technique_scores | T1566.002 | Spearphishing Link |
Comments
This control can be used forensically to identify DNS queries to known malicious sites, which may be evidence of phishing.
References
|