MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1598.002: Spearphishing Attachment

Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon the recipient populating information then returning the file. The text of the spearphishing email usually tries to give a plausible reason why the file should be filled-in, such as a request for information from a business associate. Adversaries may also use information from previous reconnaissance efforts (ex: Search Open Websites/Domains or Search Victim-Owned Websites) to craft persuasive and believable lures.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_execution: PT-CR-605: Office_File_with_Macros: A user opened a Microsoft Office document with a macro
mitre_attck_execution: PT-CR-648: Suspicious_Child_from_Messenger_Process: A user started a process from a parent messenger process
antimalware: PT-CR-726: Sandbox_Spam_Attack_By_Attachment: Spam delivery with the same attachment is detected
antimalware: PT-CR-727: Sandbox_Spam_Attack_By_Source: Spam delivery from the same sender is detected
antimalware: PT-CR-728: Sandbox_Spam_Attack_By_Title: Spam delivery with the same subject is detected
antimalware: PT-CR-729: Subrule_Sandbox_Mail_Attachment: A PT Sandbox event is supplemented with attachment information
antimalware: PT-CR-745: Subrule_Sandbox_Mail_IP: A PT Sandbox event is supplemented with IP address information
process_chains_and_logons: PT-CR-950: Suspicious_Office_Process_Chain: Suspicious process start chain for Microsoft Office or Adobe Acrobat applications
mitre_attck_initial_access: PT-CR-2301: Suspicious_File_Creation_From_Messenger_or_Mail: A file with a suspicious extension was created on behalf of an instant messenger or email program, or malicious file activity was detected. This may indicate a phishing attack or malware being delivered to user's computer.
process_chains_and_logons: PT-CR-1213: Suspicious_Messenger_Process_Chain: Suspicious process start chain for instant messenger programs
antimalware: PT-CR-1770: Subrule_Sandbox_Count_Mail_Attachments: A PT Sandbox event is supplemented with attachment count information

Detection

IDDS0029Data source and componentNetwork Traffic: Network Traffic ContentDescription

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

IDDS0015Data source and componentApplication Log: Application Log ContentDescription

Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.

IDDS0029Data source and componentNetwork Traffic: Network Traffic FlowDescription

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Mitigation

IDM1017NameUser TrainingDescription

Users can be trained to identify social engineering techniques and spearphishing attempts.

IDM1054NameSoftware ConfigurationDescription

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.