T1566.001: Spearphishing Attachment

Data from MITRE ATT&CK®:

Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Restrict Web-Based Content

Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.

Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

Software Configuration

Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.

Antivirus/Antimalware

Use signatures or heuristics to detect malicious software.

User Training

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Application Log Content (Application Log)

Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)

Network Traffic Flow (Network Traffic)

Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)

Network Traffic Content (Network Traffic)

Logged network traffic data showing both protocol header and body values (ex: PCAP)

File Creation (File)

Initial construction of a new file (ex: Sysmon EID 11)

Download Macro-Enabled Phishing Attachment

windows

Word spawned a command shell and used an IP address in the command line

windows

Office Macro File Creation

windows file event

Office Macro File Download

windows file event

Suspicious HWP Sub Processes

windows process creation

ISO or Image Mount Indicator in Recent Files

windows file event

Suspicious Execution From Outlook Temporary Folder

windows process creation

Suspicious HH.EXE Execution

windows process creation

Office Macro File Creation From Suspicious Process

windows file event

ISO Image Mounted

windows

Suspicious Double Extension File Execution

windows process creation

Windows Registry Trust Record Modification

windows registry event

Suspicious Microsoft OneNote Child Process

windows process creation

Password Protected ZIP File Opened (Email Attachment)

windows

Arbitrary Shell Command Execution Via Settingcontent-Ms

windows process creation

Potential Initial Access via DLL Search Order Hijacking

windows file event

ISO File Created Within Temp Folders

windows file event

HTML Help HH.EXE Suspicious Child Process

windows process creation