T1598.003 Spearphishing Link
Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.
All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.23 The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site.
Adversaries may also link to “web bugs” or “web beacons” within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.6
Adversaries may also be able to spoof a complete website using what is known as a “browser-in-the-browser” (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.75
From the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: Search Open Websites/Domains or Search Victim-Owned Websites) to craft persuasive and believable lures.
|T1598.001, T1598.002, T1598.003
|02 October 2020
|15 April 2023
|AADInternals can send phishing emails containing malicious links designed to collect users’ credentials.8
|APT28 has conducted credential phishing campaigns with embedded links to attacker-controlled domains.19
|APT32 has used malicious links to direct users to web pages designed to harvest credentials.27
|Dragonfly has used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites.17
|Kimsuky has used links in e-mail to steal account information.313032
|Magic Hound has used SMS and email messages with links designed to steal credentials or track victims.111214131015
|Mustang Panda has delivered web bugs to profile their intended targets.16
|Patchwork has used embedded image tags (known as web bugs) with unique, per-recipient tracking links in their emails for the purpose of identifying which recipients opened messages.20
|Sandworm Team has crafted spearphishing emails with hyperlinks designed to trick unwitting recipients into revealing their account credentials.28
|Sidewinder has sent e-mails with malicious links to credential harvesting websites.18
|Silent Librarian has used links in e-mails to direct victims to credential harvesting websites designed to appear like the targeted organization’s login page.212223242526
|SMOKEDHAM has been delivered via malicious links in phishing emails.9
|ZIRCONIUM has used web beacons in e-mails to track hits to attacker-controlled URL’s.29
|Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.41
|Users can be trained to identify social engineering techniques and spearphishing attempts. Additionally, users may perform visual checks of the domains they visit; however, homographs in ASCII and in IDN domains may render manual checks difficult. Phishing training and other cybersecurity training may raise awareness to check URLs before visiting the sites.
|Application Log Content
|Network Traffic Content