ID | Name |
---|---|
T1566.001 | Spearphishing Attachment |
T1566.002 | Spearphishing Link |
T1566.003 | Spearphishing via Service |
T1566.004 | Spearphishing Voice |
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging User Execution. The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place.
Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack").[1] URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an "@" symbol: for example, hxxp://google.com@1157586937
.[2]
Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to Steal Application Access Tokens.[3] These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. [4]
Adversaries may also utilize spearphishing links to Steal Application Access Tokens that grant immediate access to the victim environment. For example, a user may be lured through "consent phishing" into granting adversaries permissions/access via a malicious OAuth 2.0 request URL .[3][4]
Similarly, malicious links may also target device-based authorization, such as OAuth 2.0 device authorization grant flow which is typically used to authenticate devices without UIs/browsers. Known as "device code phishing," an adversary may send a link that directs the victim to a malicious authorization page where the user is tricked into entering a code/credentials that produces a device token.[5][6][7]
ID | Name | Description |
---|---|---|
S0677 | AADInternals |
AADInternals can send "consent phishing" emails containing malicious links designed to steal users’ access tokens.[8] |
S0584 | AppleJeus | |
G0006 | APT1 |
APT1 has sent spearphishing emails containing hyperlinks to malicious files.[10] |
G0007 | APT28 |
APT28 sent spearphishing emails which used a URL-shortener service to masquerade as a legitimate service and to redirect targets to credential harvesting sites.[11][12][13][14] |
G0016 | APT29 |
APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.[15][16][17] |
G0022 | APT3 |
APT3 has sent spearphishing emails containing malicious links.[18] |
G0050 | APT32 |
APT32 has sent spearphishing emails containing malicious links.[19][20][21][22][23] |
G0064 | APT33 |
APT33 has sent spearphishing emails containing links to .hta files.[24][25] |
G0087 | APT39 |
APT39 leveraged spearphishing emails with malicious links to initially compromise victims.[26][27] |
S0534 | Bazar |
Bazar has been spread via emails with embedded malicious links.[28][29][30] |
G0098 | BlackTech |
BlackTech has used spearphishing e-mails with links to cloud services to deliver malware.[31] |
S1039 | Bumblebee |
Bumblebee has been spread through e-mail campaigns with malicious links.[32][33] |
C0011 | C0011 |
During C0011, Transparent Tribe sent emails containing a malicious link to student targets in India.[34] |
C0021 | C0021 |
During C0021, the threat actors sent phishing emails with unique malicious links, likely for tracking victim clicks.[35][36] |
G0080 | Cobalt Group |
Cobalt Group has sent emails with URLs pointing to malicious documents.[37][38] |
G0142 | Confucius |
Confucius has sent malicious links to victims through email campaigns.[39] |
S1111 | DarkGate |
DarkGate is distributed in phishing emails containing links to distribute malicious VBS or MSI files.[40] DarkGate uses applications such as Microsoft Teams for distributing links to payloads.[40] |
G1006 | Earth Lusca |
Earth Lusca has sent spearphishing emails to potential targets that contained a malicious link.[41] |
G0066 | Elderwood |
Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing a link to malicious content hosted on an uncommon Web server.[42][43] |
G1003 | Ember Bear |
Ember Bear has sent spearphishing emails containing malicious links.[44] |
S0367 | Emotet |
Emotet has been delivered by phishing emails containing links. [45][46][47][48][49][50][51][51][52] |
G0120 | Evilnum |
Evilnum has sent spearphishing emails containing a link to a zip file hosted on Google Drive.[53] |
G1011 | EXOTIC LILY |
EXOTIC LILY has relied on victims to open malicious links in e-mails for execution.[54] |
G0085 | FIN4 |
FIN4 has used spearphishing emails (often sent from compromised accounts) containing malicious links.[55][56] |
G0046 | FIN7 |
FIN7 has conducted broad phishing campaigns using malicious links.[57] |
G0061 | FIN8 |
FIN8 has distributed targeted emails containing links to malicious documents with embedded macros.[58] |
S0531 | Grandoreiro |
Grandoreiro has been spread via malicious links embedded in e-mails.[59][60] |
S0561 | GuLoader |
GuLoader has been spread in phishing campaigns using malicious web links.[61] |
S0499 | Hancitor |
Hancitor has been delivered via phishing emails which contained malicious links.[62] |
S0528 | Javali |
Javali has been delivered via malicious links embedded in e-mails.[63] |
S0585 | Kerrdown |
Kerrdown has been distributed via e-mails containing a malicious link.[23] |
G0094 | Kimsuky |
Kimsuky has sent spearphishing emails containing a link to a document that contained malicious macros or took the victim to an actor-controlled domain.[64][65][66] |
S0669 | KOCTOPUS |
KOCTOPUS has been distributed as a malicious link within an email.[67] |
G0032 | Lazarus Group |
Lazarus Group has sent malicious links to victims via email.[68] |
G0140 | LazyScripter |
LazyScripter has used spam emails that contain a link that redirects the victim to download a malicious document.[67] |
G0065 | Leviathan |
Leviathan has sent spearphishing emails with links, often using a fraudulent lookalike domain and stolen branding.[69][70] |
G1014 | LuminousMoth |
LuminousMoth has sent spearphishing emails containing a malicious Dropbox download link.[71] |
G0095 | Machete |
Machete has sent phishing emails that contain a link to an external server with ZIP and RAR archives.[72][73] |
G0059 | Magic Hound |
Magic Hound has sent malicious URL links through email to victims. In some cases the URLs were shortened or linked to Word documents with malicious macros that executed PowerShells scripts to download Pupy.[74][75][76][77] |
S0530 | Melcoz |
Melcoz has been spread through malicious links embedded in e-mails.[63] |
S1122 | Mispadu |
Mispadu has been spread via malicious links embedded in emails.[78] |
G0103 | Mofang |
Mofang delivered spearphishing emails with malicious links included.[79] |
G0021 | Molerats |
Molerats has sent phishing emails with malicious links included.[80] |
G0069 | MuddyWater |
MuddyWater has sent targeted spearphishing e-mails with malicious links.[81][82][83] |
G0129 | Mustang Panda |
Mustang Panda has delivered malicious links to their intended targets.[84] |
G1020 | Mustard Tempest |
Mustard Tempest has sent victims emails containing links to compromised websites.[85] |
S0198 | NETWIRE |
NETWIRE has been spread via e-mail campaigns utilizing malicious links.[61] |
C0002 | Night Dragon |
During Night Dragon, threat actors sent spearphishing emails containing links to compromised websites where malware was downloaded.[86] |
G0049 | OilRig |
OilRig has sent spearphising emails with malicious links to potential victims.[87] |
C0022 | Operation Dream Job |
During Operation Dream Job, Lazarus Group sent malicious OneDrive links with fictitious job offer advertisements via email.[88][89] |
C0016 | Operation Dust Storm |
During Operation Dust Storm, the threat actors sent spearphishing emails containing a malicious link.[90] |
C0005 | Operation Spalax |
During Operation Spalax, the threat actors sent phishing emails to victims that contained a malicious link.[91] |
S1017 | OutSteel |
OutSteel has been distributed through malicious links contained within spearphishing emails.[44] |
G0040 | Patchwork |
Patchwork has used spearphishing with links to deliver files with exploits to initial victims.[92][93][94] |
S0453 | Pony |
Pony has been delivered via spearphishing emails which contained malicious links.[95] |
S0650 | QakBot |
QakBot has spread through emails with malicious links.[96][97][98][99][100][101][102] |
S1018 | Saint Bot |
Saint Bot has been distributed through malicious links contained within spearphishing emails.[44] |
G0034 | Sandworm Team |
Sandworm Team has crafted phishing emails containing malicious hyperlinks.[103] |
G0121 | Sidewinder |
Sidewinder has sent e-mails with malicious links often crafted for specific targets.[104][105] |
S1086 | Snip3 |
Snip3 has been delivered to victims through e-mail links to malicious files.[106] |
S1124 | SocGholish |
SocGholish has been spread via emails containing malicious links.[85] |
S0646 | SpicyOmelette |
SpicyOmelette has been distributed via emails containing a malicious link that appears to be a PDF document.[38] |
S1030 | Squirrelwaffle |
Squirrelwaffle has been distributed through phishing emails containing a malicious URL.[107] |
G1018 | TA2541 |
TA2541 has used spearphishing e-mails with malicious links to deliver malware. [108][106] |
G0092 | TA505 |
TA505 has sent spearphishing emails containing malicious links.[109][110][111][112] |
G0134 | Transparent Tribe |
Transparent Tribe has embedded links to malicious downloads in e-mails.[113][114] |
S0266 | TrickBot |
TrickBot has been delivered via malicious links in phishing e-mails.[115] |
G0010 | Turla |
Turla attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access.[116] |
S0476 | Valak |
Valak has been delivered via malicious links in e-mail.[117] |
G0112 | Windshift |
Windshift has sent spearphishing emails with links to harvest credentials and deliver malware.[118] |
G0102 | Wizard Spider |
Wizard Spider has sent phishing emails containing a link to an actor-controlled Google Drive document or other free online file hosting services.[119][120] |
G0128 | ZIRCONIUM |
ZIRCONIUM has used malicious links in e-mails to deliver malware.[121][122][123] |
ID | Mitigation | Description |
---|---|---|
M1047 | Audit |
Audit applications and their permissions to ensure access to data and resources are limited based upon necessity and principle of least privilege. |
M1021 | Restrict Web-Based Content |
Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk. |
M1054 | Software Configuration |
Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.[124][125]. Furthermore, policies may enforce / install browser extensions that protect against IDN and homograph attacks. |
M1018 | User Account Management |
Azure AD Administrators apply limitations upon the ability for users to grant consent to unfamiliar or unverified third-party applications. |
M1017 | User Training |
Users can be trained to identify social engineering techniques and spearphishing emails with malicious links which includes phishing for consent with OAuth 2.0. Additionally, users may perform visual checks of the domains they visit; however, homographs in ASCII and in IDN domains and URL schema obfuscation may render manual checks difficult. Phishing training and other cybersecurity training may raise awareness to check URLs before visiting the sites. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0015 | Application Log | Application Log Content |
Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[124][125] URL inspection within email (including expanding shortened links and identifying obfuscated URLs) can help detect links leading to known malicious sites.[2] Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link. Furthermore, monitor browser logs for homographs in ASCII and in internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites). |
DS0029 | Network Traffic | Network Traffic Content |
Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g. extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Furthermore, monitor network traffic for cloned sites as well as homographs via the use of internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites). |
Network Traffic Flow |
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |