DET0781 Detection of Spearphishing Attachment

Technique Detected: T0865 (Spearphishing Attachment)

Analytics

ICS

AN1913

Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.(Citation: Elastic - Koadiac Detection with EQL) For added context on adversary procedures and background see Spearphishing Attachment. Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Monitor network traffic for suspicious email attachments. Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Use web proxies to review content of emails including sender information, headers, and attachments for potentially malicious content. Monitor mail server and proxy logs for evidence of messages originating from spoofed addresses, including records indicating failed DKIM+SPF validation or mismatched message headers.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) Anti-virus can potentially detect malicious documents and attachments as they’re scanned to be stored on the email server or on the user’s computer.

Log Sources

Mutable Elements