T1566.003: Spearphishing via Service
| View on MITRE ATT&CK | T1566.003 |
|---|---|
| Tactic(s) | Initial Access |
| Associated CAPEC Patterns | Spear Phishing (CAPEC-163) |
Data from MITRE ATT&CK®:
Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.
All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.
A common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Mitigations for this technique
MITRE ATT&CK Mitigations
User Training
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.Restrict Web-Based Content
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.Antivirus/Antimalware
Use signatures or heuristics to detect malicious software.How to detect this technique
MITRE ATT&CK Data Components
Application Log Content (Application Log)
Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)Network Traffic Content (Network Traffic)
Logged network traffic data showing both protocol header and body values (ex: PCAP)Network Traffic Flow (Network Traffic)
Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.