Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.[1] For added context on adversary procedures and background see Spearphishing Attachment.
Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.
Monitor network traffic for suspicious email attachments. Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Use web proxies to review content of emails including sender information, headers, and attachments for potentially malicious content.
Monitor mail server and proxy logs for evidence of messages originating from spoofed addresses, including records indicating failed DKIM+SPF validation or mismatched message headers.[2][3] Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | Process | None |
| File Creation (DC0039) | File | None |
| Network Traffic Content (DC0085) | Network Traffic | None |
| Application Log Content (DC0038) | Application Log | None |