Spearphishing Attachment

Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution and access. [1]

A Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012, targeted ONG organizations and their employees. The emails were constructed with a high level of sophistication to convince employees to open the malicious file attachments. [2]

ID: T0865
Sub-techniques:  No sub-techniques
Tactic: Initial Access
Platforms: None
Version: 1.1
Created: 21 May 2020
Last Modified: 13 October 2023

Procedure Examples

ID Name Description
G1000 ALLANITE

ALLANITE utilized spear phishing to gain access into energy sector environments. [3]

G0064 APT33

APT33 sent spear phishing emails containing links to HTML application files, which were embedded with malicious code. [4] APT33 has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies. [5]

S0093 Backdoor.Oldrea

The Backdoor.Oldrea RAT is distributed through a trojanized installer attached to emails. [6]

S0089 BlackEnergy

BlackEnergy targeted energy sector organizations in a wide reaching email spearphishing campaign. Adversaries utilized malicious Microsoft Word documents attachments. [7]

G0032 Lazarus Group

Lazarus Group has been observed targeting organizations using spearphishing documents with embedded malicious payloads. [8] Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company. [9]

G0049 OilRig

OilRig used spearphishing emails with malicious Microsoft Excel spreadsheet attachments. [10]

Targeted Assets

ID Asset
A0012 Jump Host
A0001 Workstation

Mitigations

ID Mitigation Description
M0949 Antivirus/Antimalware

Deploy anti-virus on all systems that support external email.

M0931 Network Intrusion Prevention

Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity.

M0921 Restrict Web-Based Content

Consider restricting access to email within critical process environments. Additionally, downloads and attachments may be disabled if email is still necessary.

M0917 User Training

Users can be trained to identify social engineering techniques and spearphishing emails.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor mail server and proxy logs for evidence of messages originating from spoofed addresses, including records indicating failed DKIM+SPF validation or mismatched message headers.[11][12] Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer.

DS0022 File File Creation

Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.

DS0029 Network Traffic Network Traffic Content

Monitor network traffic for suspicious email attachments. Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Use web proxies to review content of emails including sender information, headers, and attachments for potentially malicious content.

DS0009 Process Process Creation

Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.[13] For added context on adversary procedures and background see Spearphishing Attachment.

References