Phishing, Technique T1566 - Enterprise | MITRE ATT&CK®
  1. Home
  2. Techniques
  3. Enterprise
  4. Phishing

Phishing

ID Name
T1566.001 Spearphishing Attachment
T1566.002 Spearphishing Link
T1566.003 Spearphishing via Service
T1566.004 Spearphishing Voice

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.

Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., Email Hiding Rules).[1][2] Another way to accomplish this is by Email Spoofing[3] the identity of the sender, which can be used to fool both the human recipient as well as automated security tools,[4] or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., "thread hijacking").[5]

Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,[6][7] or install adversary-accessible remote management tools onto their computer (i.e., User Execution).[8]

ID: T1566
Sub-techniques:  T1566.001, T1566.002, T1566.003, T1566.004
Tactic: Initial Access
Platforms: Identity Provider, Linux, Office Suite, SaaS, Windows, macOS
Contributors: Liora Itkin; Liran Ravich, CardinalOps; Ohad Zaidenberg, @ohad_mz; Philip Winther; Scott Cook, Capital One
Version: 2.7
Created: 02 March 2020
Last Modified: 15 April 2025
Version Permalink

Procedure Examples

ID Name Description
G0001 Axiom

Axiom has used spear phishing to initially compromise victims.[9][10]
G0115 GOLD SOUTHFIELD

GOLD SOUTHFIELD has conducted malicious spam (malspam) campaigns to gain access to victim's machines.[11]
S0009 Hikit

Hikit has been spread through spear phishing.[10]
G1032 INC Ransom

INC Ransom has used phishing to gain initial access.[12][13]
S1139 INC Ransomware

INC Ransomware campaigns have used spearphishing emails for initial access.[13]
G0094 Kimsuky

Kimsuky has used spearphishing to gain initial access and intelligence.[14][15]

S1073 Royal

Royal has been spread through the use of phishing campaigns including "call back phishing" where victims are lured into calling a number provided through email.[16][17][18]
G1041 Sea Turtle

Sea Turtle used spear phishing to gain initial access to victims.[19]

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware

Anti-virus can automatically quarantine suspicious files.
M1047 Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.
M1031 Network Intrusion Prevention

Network intrusion prevention systems and systems designed to scan and remove malicious email attachments or links can be used to block activity.
M1021 Restrict Web-Based Content

Determine if certain websites or attachment types (ex: .scr, .exe, .pif, .cpl, etc.) that can be used for phishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
M1054 Software Configuration

Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.[20][21]
M1017 User Training

Users can be trained to identify social engineering techniques and phishing emails.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may send phishing messages to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[20][21] URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.

Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events.

Analytic 1 - Detecting Malicious Phishing Emails

(source="o365_message_trace" OR source="gmail_security_logs" OR source="/var/log/maillog")| search ("dkim=fail" OR "spf=fail" OR "dmarc=fail" OR "suspicious attachment")| eval risk_score=case( like(subject, "%password reset%"), 8, like(subject, "%urgent action required%"), 7, like(subject, "%invoice%"), 6)| where risk_score >= 6| stats count by _time, src_email, dest_email, subject, attachment_name, risk_score

DS0022 File File Creation

Monitor for creation of suspicious email attachments in download directories, execution of phishing attachments (e.g., .docm, .lnk, .hta, .vbs), or files extracted from .zip, .rar, .iso containers that execute scripts.

Analytic 1 - Detecting Malicious File Creation from Phishing Emails

(EventCode=11 OR EventCode=1116)OR (source="/var/log/audit/audit.log" SYSCALL="open" path IN ("/home/user/Downloads", "C:\Users\Public\Downloads"))| eval risk_score=case( like(path, "%.vbs"), 8, like(path, "%.lnk"), 7, like(path, "%.exe"), 6)| where risk_score >= 6| stats count by _time, host, path, user, risk_score

DS0029 Network Traffic Network Traffic Content

Monitor for clicking on malicious links leading to credential phishing, traffic to newly registered or suspicious domains, malicious redirect chains embedded in emails, or downloading of executables from phishing sites.

Analytic 1 - Detecting Phishing Link Clicks in Emails

(EventCode=3)OR (source="zeek_http_logs" uri IN (malicious_url_list))OR (source="proxy_logs" url IN (malicious_url_list))| eval risk_score=case( domain IN ("bit.ly", "tinyurl.com"), 8, domain IN (".xyz", ".top"), 7, uri IN (malicious_url_list), 9)| where risk_score >= 7| stats count by _time, host, user, uri, domain, risk_score
Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Analytic 1 - Detecting Malicious Network Traffic Post-Phishing Execution

(EventCode=3)OR (source="zeek_conn.log" dest_ip IN (malicious_ip_list))OR (source="proxy_logs" url IN (malicious_url_list))| eval risk_score=case( dest_ip IN (malicious_ip_list), 9, dest_port IN (4444, 1337, 8080), 8, user_agent LIKE "%curl%", 7)| where risk_score >= 7| stats count by _time, host, user, dest_ip, dest_port, risk_score

References

  1. Microsoft. (2023, September 22). Malicious OAuth applications abuse cloud email services to spread spam. Retrieved March 13, 2023.
  2. Vicky Ray and Rob Downs. (2014, October 29). Examining a VBA-Initiated Infostealer Campaign. Retrieved March 13, 2023.
  3. Proofpoint. (n.d.). What Is Email Spoofing?. Retrieved February 24, 2023.
  4. Itkin, Liora. (2022, September 1). Double-bounced attacks with email spoofing . Retrieved February 24, 2023.
  5. Brian Krebs. (2024, March 28). Thread Hijacking: Phishes That Prey on Your Curiosity. Retrieved September 27, 2024.
  6. Oren Biderman, Tomer Lahiyani, Noam Lifshitz, Ori Porag. (n.d.). LUNA MOTH: THE THREAT ACTORS BEHIND RECENT FALSE SUBSCRIPTION SCAMS. Retrieved February 2, 2023.
  7. CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring and Management Software. Retrieved February 2, 2023.
  8. Kristopher Russo. (n.d.). Luna Moth Callback Phishing Campaign. Retrieved February 2, 2023.
  9. Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016.
  10. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  11. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  1. SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024.
  2. SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024.
  3. Microsoft Threat Intelligence. (2024, February 14). Staying ahead of threat actors in the age of AI. Retrieved March 11, 2024.
  4. Mandiant. (n.d.). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved October 14, 2024.
  5. Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023.
  6. Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023.
  7. CISA. (2023, March 2). #StopRansomware: Royal Ransomware. Retrieved March 31, 2023.
  8. Cisco Talos. (2019, April 17). Sea Turtle: DNS Hijacking Abuses Trust In Core Internet Service. Retrieved November 20, 2024.
  9. Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
  10. Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.