Skip to content

T1566 Phishing

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.

Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., Email Hiding Rules).69 Another way to accomplish this is by forging or spoofing8 the identity of the sender which can be used to fool both the human recipient as well as automated security tools.3

Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,72 or install adversary-accessible remote management tools onto their computer (i.e., User Execution).4

Item Value
ID T1566
Sub-techniques T1566.001, T1566.002, T1566.003
Tactics TA0001
Platforms Google Workspace, Linux, Office 365, SaaS, Windows, macOS
Version 2.3
Created 02 March 2020
Last Modified 14 April 2023

Procedure Examples

ID Name Description
G0001 Axiom Axiom has used spear phishing to initially compromise victims.1410
G0115 GOLD SOUTHFIELD GOLD SOUTHFIELD has conducted malicious spam (malspam) campaigns to gain access to victim’s machines.15
S0009 Hikit Hikit has been spread through spear phishing.10
S1073 Royal Royal has been spread through the use of phishing campaigns including “call back phishing” where victims are lured into calling a number provided through email.121311

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware Anti-virus can automatically quarantine suspicious files.
M1031 Network Intrusion Prevention Network intrusion prevention systems and systems designed to scan and remove malicious email attachments or links can be used to block activity.
M1021 Restrict Web-Based Content Determine if certain websites or attachment types (ex: .scr, .exe, .pif, .cpl, etc.) that can be used for phishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
M1054 Software Configuration Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.51
M1017 User Training Users can be trained to identify social engineering techniques and phishing emails.

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0022 File File Creation
DS0029 Network Traffic Network Traffic Content

References

  1. Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. 

  2. CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring and Management Software. Retrieved February 2, 2023. 

  3. Itkin, Liora. (2022, September 1). Double-bounced attacks with email spoofing . Retrieved February 24, 2023. 

  4. Kristopher Russo. (n.d.). Luna Moth Callback Phishing Campaign. Retrieved February 2, 2023. 

  5. Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020. 

  6. Microsoft. (2023, September 22). Malicious OAuth applications abuse cloud email services to spread spam. Retrieved March 13, 2023. 

  7. Oren Biderman, Tomer Lahiyani, Noam Lifshitz, Ori Porag. (n.d.). LUNA MOTH: THE THREAT ACTORS BEHIND RECENT FALSE SUBSCRIPTION SCAMS. Retrieved February 2, 2023. 

  8. Proofpoint. (n.d.). What Is Email Spoofing?. Retrieved February 24, 2023. 

  9. Vicky Ray and Rob Downs. (2014, October 29). Examining a VBA-Initiated Infostealer Campaign. Retrieved March 13, 2023. 

  10. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. 

  11. CISA. (2023, March 2). #StopRansomware: Royal Ransomware. Retrieved March 31, 2023. 

  12. Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023. 

  13. Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023. 

  14. Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016. 

  15. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.