Technique on mitre.org

T1566: Phishing

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.

Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., Email Hiding Rules). Another way to accomplish this is by forging or spoofing the identity of the sender which can be used to fool both the human recipient as well as automated security tools.

Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware, or install adversary-accessible remote management tools onto their computer (i.e., User Execution).

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

postfix: PT-CR-2711: Postfix_Suspicious_Sender: Unusual characters in a sender's address. This may indicate the exploitation of the CVE-2020-12063 vulnerability, which allows visually spoofing another sender's address and sending a message without authentication. antimalware: PT-CR-2082: KSMG_Massmail_Allowed: Mass mailing is detected in an email antimalware: PT-CR-746: Sandbox_Different_Sender_Info: The SMTP header "Mail from" and mail sender are different antimalware: PT-CR-2081: KSMG_SPAM_Detected: Spam is detected

Subtechniques

Detection

ID	DS0022	Data source and component	File: File Creation	Description	Monitor for newly constructed files from a phishing messages to gain access to victim systems.

ID	DS0029	Data source and component	Network Traffic: Network Traffic Flow	Description	Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

ID	DS0029	Data source and component	Network Traffic: Network Traffic Content	Description	Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.

ID	DS0015	Data source and component	Application Log: Application Log Content	Description	Monitor for third-party application logging, messaging, and/or other artifacts that may send phishing messages to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link. Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events.

ID	Data source and component	Description
DS0022	File: File Creation	Monitor for newly constructed files from a phishing messages to gain access to victim systems.
DS0029	Network Traffic: Network Traffic Flow	Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.
DS0029	Network Traffic: Network Traffic Content	Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.
DS0015	Application Log: Application Log Content	Monitor for third-party application logging, messaging, and/or other artifacts that may send phishing messages to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link. Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events.

Mitigation

ID	M1017	Name	User Training	Description	Users can be trained to identify social engineering techniques and phishing emails.

ID	M1021	Name	Restrict Web-Based Content	Description	Determine if certain websites or attachment types (ex: .scr, .exe, .pif, .cpl, etc.) that can be used for phishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.

ID	M1031	Name	Network Intrusion Prevention	Description	Network intrusion prevention systems and systems designed to scan and remove malicious email attachments or links can be used to block activity.

ID	M1047	Name	Audit	Description	Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

ID	M1049	Name	Antivirus/Antimalware	Description	Anti-virus can automatically quarantine suspicious files.

ID	M1054	Name	Software Configuration	Description	Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.

ID	Name	Description
M1017	User Training	Users can be trained to identify social engineering techniques and phishing emails.
M1021	Restrict Web-Based Content	Determine if certain websites or attachment types (ex: .scr, .exe, .pif, .cpl, etc.) that can be used for phishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
M1031	Network Intrusion Prevention	Network intrusion prevention systems and systems designed to scan and remove malicious email attachments or links can be used to block activity.
M1047	Audit	Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.
M1049	Antivirus/Antimalware	Anti-virus can automatically quarantine suspicious files.
M1054	Software Configuration	Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.