T1566.002: Spearphishing Link

Data from MITRE ATT&CK®:

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging User Execution. The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place.

Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack").(Citation: CISA IDN ST05-016) URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, hxxp://google.com@1157586937.(Citation: Mandiant URL Obfuscation 2023)

Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to Steal Application Access Tokens.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Restrict Web-Based Content

Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.

Software Configuration

Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.

User Training

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

Network Traffic Content (Network Traffic)

Logged network traffic data showing both protocol header and body values (ex: PCAP)

Network Traffic Flow (Network Traffic)

Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)

Application Log Content (Application Log)

Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)

Suspicious Execution via macOS Script Editor

macos process creation