Phishing for Information: Spearphishing Link

Before compromising a victim, adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.[1][2] The given website may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Adversaries may also use information from previous reconnaissance efforts (ex: Search Open Websites/Domains or Search Victim-Owned Websites) to craft persuasive and believable lures.

ID: T1598.003
Sub-technique of:  T1598
Tactic: Reconnaissance
Platforms: PRE
Data Sources: Email gateway, Mail server
Contributors: Robert Simmons, @MalwareUtkonos; Sebastian Salla, McAfee
Version: 1.0
Created: 02 October 2020
Last Modified: 24 October 2020

Mitigations

Mitigation Description
User Training

Users can be trained to identify social engineering techniques and spearphishing attempts.

Detection

Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. Also consider enabling DMARC to verify the sender of emails.[3][4]

Monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites.

References