Skip to content

T1598.001 Spearphishing Service

Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.1 These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target’s interest in some way. Adversaries may create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and information about their environment. Adversaries may also use information from previous reconnaissance efforts (ex: Social Media or Search Victim-Owned Websites) to craft persuasive and believable lures.

Item Value
ID T1598.001
Sub-techniques T1598.001, T1598.002, T1598.003
Tactics TA0043
Platforms PRE
Version 1.0
Created 02 October 2020
Last Modified 15 April 2021

Mitigations

ID Mitigation Description
M1017 User Training Users can be trained to identify social engineering techniques and spearphishing attempts.

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0029 Network Traffic Network Traffic Content

References