Skip to content

G0085 FIN4

FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.12 FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.13

Item Value
ID G0085
Associated Names
Version 1.2
Created 31 January 2019
Last Modified 11 August 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols FIN4 has used HTTP POST requests to transmit data.13
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.005 Visual Basic FIN4 has used VBA macros to display a dialog box and collect victim credentials.13
enterprise T1114 Email Collection -
enterprise T1114.002 Remote Email Collection FIN4 has accessed and hijacked online email communications using stolen credentials.13
enterprise T1564 Hide Artifacts -
enterprise T1564.008 Email Hiding Rules FIN4 has created rules in victims’ Microsoft Outlook accounts to automatically delete emails containing words such as “hacked,” “phish,” and “malware” in a likely attempt to prevent organizations from communicating about their activities.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging FIN4 has captured credentials via fake Outlook Web App (OWA) login pages and has also used a .NET based keylogger.13
enterprise T1056.002 GUI Input Capture FIN4 has presented victims with spoofed Windows Authentication prompts to collect their credentials.13
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment FIN4 has used spearphishing emails containing attachments (which are often stolen, legitimate documents sent from compromised accounts) with embedded malicious macros.13
enterprise T1566.002 Spearphishing Link FIN4 has used spearphishing emails (often sent from compromised accounts) containing malicious links.13
enterprise T1090 Proxy -
enterprise T1090.003 Multi-hop Proxy FIN4 has used Tor to log in to victims’ email accounts.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link FIN4 has lured victims to click malicious links delivered via spearphishing emails (often sent from compromised accounts).13
enterprise T1204.002 Malicious File FIN4 has lured victims to launch malicious attachments delivered via spearphishing emails (often sent from compromised accounts).13
enterprise T1078 Valid Accounts FIN4 has used legitimate credentials to hijack email communications.13


Back to top