T1566.002: Spearphishing Link
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging User Execution. The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place.
Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack"). URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, hxxp://google.com@1157586937
.
Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to Steal Application Access Tokens. These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls.
Adversaries may also utilize spearphishing links to Steal Application Access Tokens that grant immediate access to the victim environment. For example, a user may be lured through “consent phishing” into granting adversaries permissions/access via a malicious OAuth 2.0 request URL .
Similarly, malicious links may also target device-based authorization, such as OAuth 2.0 device authorization grant flow which is typically used to authenticate devices without UIs/browsers. Known as “device code phishing,” an adversary may send a link that directs the victim to a malicious authorization page where the user is tricked into entering a code/credentials that produces a device token.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
vulnerabilities: PT-CR-2297: CVE_2024_21413_Outlook_MonikerLink: Exploitation of vulnerability CVE-2024-21413 in Outlook. The vulnerability allows an attacker to send a victim an email with a hyperlink to a shared network resource and bypass the Outlook warning when opening the email. This can be used to execute an arbitrary code or get the user's NetNTLM hash.
vulnerabilities: PT-CR-779: MSDT_CVE_2022_30190: The ms-msdt protocol was used to exploit vulnerability CVE-2022-30190 (Follina) in Microsoft Support Diagnostic Tool (MSDT)
antimalware: PT-CR-727: Sandbox_Spam_Attack_By_Source: Spam delivery from the same sender is detected
antimalware: PT-CR-728: Sandbox_Spam_Attack_By_Title: Spam delivery with the same subject is detected
antimalware: PT-CR-729: Subrule_Sandbox_Mail_Attachment: A PT Sandbox event is supplemented with attachment information
antimalware: PT-CR-745: Subrule_Sandbox_Mail_IP: A PT Sandbox event is supplemented with IP address information
mitre_attck_initial_access: PT-CR-2415: External_Link_Clicked: A user followed an external link
antimalware: PT-CR-1770: Subrule_Sandbox_Count_Mail_Attachments: A PT Sandbox event is supplemented with attachment count information
antimalware: PT-CR-2080: KSMG_Malware_Detect_And_Clean: A malicious object is found in an email and cured
antimalware: PT-CR-2085: KSMG_Malware_remove: A malicious object is found and deleted from an email
Detection
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Content | Description | Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g. extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Furthermore, monitor network traffic for cloned sites as well as homographs via the use of internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites). |
---|
ID | DS0015 | Data source and component | Application Log: Application Log Content | Description | Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. URL inspection within email (including expanding shortened links and identifying obfuscated URLs) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link. Furthermore, monitor browser logs for homographs in ASCII and in internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites). |
---|
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Flow | Description | Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
---|
Mitigation
ID | M1054 | Name | Software Configuration | Description | Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.. Furthermore, policies may enforce / install browser extensions that protect against IDN and homograph attacks. |
---|
ID | M1021 | Name | Restrict Web-Based Content | Description | Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk. |
---|
ID | M1047 | Name | Audit | Description | Audit applications and their permissions to ensure access to data and resources are limited based upon necessity and principle of least privilege. |
---|
ID | M1018 | Name | User Account Management | Description | Azure AD Administrators apply limitations upon the ability for users to grant consent to unfamiliar or unverified third-party applications. |
---|
ID | M1017 | Name | User Training | Description | Users can be trained to identify social engineering techniques and spearphishing emails with malicious links which includes phishing for consent with OAuth 2.0. Additionally, users may perform visual checks of the domains they visit; however, homographs in ASCII and in IDN domains and URL schema obfuscation may render manual checks difficult. Phishing training and other cybersecurity training may raise awareness to check URLs before visiting the sites. |
---|