| ID | Name |
|---|---|
| T1566.001 | Spearphishing Attachment |
| T1566.002 | Spearphishing Link |
| T1566.003 | Spearphishing via Service |
| T1566.004 | Spearphishing Voice |
Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.
All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.[1] These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.
A common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.
| ID | Name | Description |
|---|---|---|
| G0130 | Ajax Security Team |
Ajax Security Team has used various social media channels to spearphish victims.[2] |
| G0016 | APT29 |
APT29 has used the legitimate mailing service Constant Contact to send phishing e-mails.[3] |
| G1012 | CURIUM |
CURIUM has used social media to deliver malicious files to victims.[4] |
| G0070 | Dark Caracal |
Dark Caracal spearphished victims via Facebook and Whatsapp.[1] |
| G1011 | EXOTIC LILY |
EXOTIC LILY has used the e-mail notification features of legitimate file sharing services for spearphishing.[5] |
| G0037 | FIN6 |
FIN6 has used fake job advertisements sent via LinkedIn to spearphish targets.[6] |
| G0032 | Lazarus Group |
Lazarus Group has used social media platforms, including LinkedIn and Twitter, to send spearphishing messages.[7] |
| G0059 | Magic Hound |
Magic Hound used various social media channels (such as LinkedIn) as well as messaging services (such as WhatsApp) to spearphish victims.[8][9][10] |
| G1036 | Moonstone Sleet |
Moonstone Sleet has used social media services to spear phish victims to deliver trojainized software.[11] |
| S1100 | Ninja |
Ninja has been distributed to victims via the messaging app Telegram.[12] |
| G0049 | OilRig | |
| C0022 | Operation Dream Job |
During Operation Dream Job, Lazarus Group sent victims spearphishing messages via LinkedIn concerning fictitious jobs.[14][15] |
| G1022 | ToddyCat |
ToddyCat has sent loaders configured to run Ninja as zip archives via Telegram.[12] |
| G0112 | Windshift |
Windshift has used fake personas on social media to engage and target victims.[16] |
| ID | Mitigation | Description |
|---|---|---|
| M1049 | Antivirus/Antimalware |
Anti-virus can also automatically quarantine suspicious files. |
| M1047 | Audit |
Implement auditing and logging for interactions with third-party messaging services or collaboration platforms. Monitor user activity and review logs for signs of suspicious links, downloads, or file exchanges that could indicate spearphishing attempts. Effective auditing allows for the quick identification of malicious activity originating from compromised service accounts. |
| M1021 | Restrict Web-Based Content |
Determine if certain social media sites, personal webmail services, or other service that can be used for spearphishing is necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk. |
| M1018 | User Account Management |
Enforce strict user account management policies on third-party service accounts to control access and limit privileges. Configure accounts with the minimum permissions necessary to perform their roles and regularly review access levels. This minimizes the risk of adversaries exploiting service accounts to execute spearphishing attacks or gain unauthorized access to sensitive resources. |
| M1017 | User Training |
Users can be trained to identify social engineering techniques and spearphishing messages with malicious links. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0015 | Application Log | Application Log Content |
Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing messages via third-party services in an attempt to gain access to victim systems. |
| DS0029 | Network Traffic | Network Traffic Content |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
| Network Traffic Flow |
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |