Phishing, Technique T1566 - Enterprise

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Phishing, Technique T1566 - Enterprise | MITRE ATT&CK®</title>   <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' />  <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">   <div class="container-fluid banner-message"> ATT&CK v16 has been released! Check out the <a href='https://medium.com/mitre-attack/attack-v16-561c76af94cf'>blog post</a> for more information. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div>  <div id="sidebars"></div>  </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item">Phishing</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> Phishing </h1> <div class="row"> <div class="col-md-8">  <div class="card-block pb-2"> <div class="card"> <div class="card-header collapsed" id="subtechniques-card-header" data-toggle="collapse" data-target="#subtechniques-card-body" aria-expanded="false" aria-controls="subtechniques-card-body"> <h5 class="mb-0" id ="sub-techniques">Sub-techniques (4)</h5> </div> <div id="subtechniques-card-body" class="card-body p-0 collapse" aria-labelledby="subtechniques-card-header"> <table class="table table-bordered"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> </tr> </thead> <tbody> <tr> <td> <a href="/techniques/T1566/001/" class="subtechnique-table-item" data-subtechnique_id="T1566.001"> T1566.001 </a> </td> <td> <a href="/techniques/T1566/001/" class="subtechnique-table-item" data-subtechnique_id="T1566.001"> Spearphishing Attachment </a> </td> </tr> <tr> <td> <a href="/techniques/T1566/002/" class="subtechnique-table-item" data-subtechnique_id="T1566.002"> T1566.002 </a> </td> <td> <a href="/techniques/T1566/002/" class="subtechnique-table-item" data-subtechnique_id="T1566.002"> Spearphishing Link </a> </td> </tr> <tr> <td> <a href="/techniques/T1566/003/" class="subtechnique-table-item" data-subtechnique_id="T1566.003"> T1566.003 </a> </td> <td> <a href="/techniques/T1566/003/" class="subtechnique-table-item" data-subtechnique_id="T1566.003"> Spearphishing via Service </a> </td> </tr> <tr> <td> <a href="/techniques/T1566/004/" class="subtechnique-table-item" data-subtechnique_id="T1566.004"> T1566.004 </a> </td> <td> <a href="/techniques/T1566/004/" class="subtechnique-table-item" data-subtechnique_id="T1566.004"> Spearphishing Voice </a> </td> </tr> </tbody> </table> </div> </div> </div>  <div class="description-body"> <p>Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.</p><p>Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., <a href="/techniques/T1564/008">Email Hiding Rules</a>).<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Microsoft. (2023, September 22). Malicious OAuth applications abuse cloud email services to spread spam. Retrieved March 13, 2023."data-reference="Microsoft OAuth Spam 2022"><sup><a href="https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Vicky Ray and Rob Downs. (2014, October 29). Examining a VBA-Initiated Infostealer Campaign. Retrieved March 13, 2023."data-reference="Palo Alto Unit 42 VBA Infostealer 2014"><sup><a href="https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> Another way to accomplish this is by forging or spoofing<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Proofpoint. (n.d.). What Is Email Spoofing?. Retrieved February 24, 2023."data-reference="Proofpoint-spoof"><sup><a href="https://www.proofpoint.com/us/threat-reference/email-spoofing" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span> the identity of the sender which can be used to fool both the human recipient as well as automated security tools,<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Itkin, Liora. (2022, September 1). Double-bounced attacks with email spoofing . Retrieved February 24, 2023."data-reference="cyberproof-double-bounce"><sup><a href="https://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span> or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., "thread hijacking").<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Brian Krebs. (2024, March 28). Thread Hijacking: Phishes That Prey on Your Curiosity. Retrieved September 27, 2024."data-reference="phishing-krebs"><sup><a href="https://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p><p>Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Oren Biderman, Tomer Lahiyani, Noam Lifshitz, Ori Porag. (n.d.). LUNA MOTH: THE THREAT ACTORS BEHIND RECENT FALSE SUBSCRIPTION SCAMS. Retrieved February 2, 2023."data-reference="sygnia Luna Month"><sup><a href="https://blog.sygnia.co/luna-moth-false-subscription-scams" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring and Management Software. Retrieved February 2, 2023."data-reference="CISA Remote Monitoring and Management Software"><sup><a href="https://www.cisa.gov/uscert/ncas/alerts/aa23-025a" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a></sup></span> or install adversary-accessible remote management tools onto their computer (i.e., <a href="/techniques/T1204">User Execution</a>).<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Kristopher Russo. (n.d.). Luna Moth Callback Phishing Campaign. Retrieved February 2, 2023."data-reference="Unit42 Luna Moth"><sup><a href="https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID: </span>T1566 </div> </div>  <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-techniques: </span> <a href="/techniques/T1566/001">T1566.001</a>, <a href="/techniques/T1566/002">T1566.002</a>, <a href="/techniques/T1566/003">T1566.003</a>, <a href="/techniques/T1566/004">T1566.004</a> </div> </div>  <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactic:</span> <a href="/tactics/TA0001">Initial Access</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms: </span>Identity Provider, Linux, Office Suite, SaaS, Windows, macOS </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors: </span>Liora Itkin; Liran Ravich, CardinalOps; Ohad Zaidenberg, @ohad_mz; Philip Winther; Scott Cook, Capital One </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version: </span>2.6 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created: </span>02 March 2020 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified: </span>07 October 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1566" href="/versions/v16/techniques/T1566/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1566" href="/versions/v16/techniques/T1566/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/groups/G0001"> G0001 </a> </td> <td> <a href="/groups/G0001"> Axiom </a> </td> <td> <p><a href="/groups/G0001">Axiom</a> has used spear phishing to initially compromise victims.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016."data-reference="Cisco Group 72"><sup><a href="http://blogs.cisco.com/security/talos/threat-spotlight-group-72" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014."data-reference="Novetta-Axiom"><sup><a href="https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/groups/G0115"> G0115 </a> </td> <td> <a href="/groups/G0115"> GOLD SOUTHFIELD </a> </td> <td> <p><a href="/groups/G0115">GOLD SOUTHFIELD</a> has conducted malicious spam (malspam) campaigns to gain access to victim's machines.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020."data-reference="Secureworks REvil September 2019"><sup><a href="https://www.secureworks.com/research/revil-sodinokibi-ransomware" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S0009"> S0009 </a> </td> <td> <a href="/software/S0009"> Hikit </a> </td> <td> <p><a href="/software/S0009">Hikit</a> has been spread through spear phishing.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014."data-reference="Novetta-Axiom"><sup><a href="https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/groups/G1032"> G1032 </a> </td> <td> <a href="/groups/G1032"> INC Ransom </a> </td> <td> <p><a href="/groups/G1032">INC Ransom</a> has used phishing to gain initial access.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024."data-reference="SOCRadar INC Ransom January 2024"><sup><a href="https://socradar.io/dark-web-profile-inc-ransom/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024."data-reference="SentinelOne INC Ransomware"><sup><a href="https://www.sentinelone.com/anthology/inc-ransom/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S1139"> S1139 </a> </td> <td> <a href="/software/S1139"> INC Ransomware </a> </td> <td> <p><a href="/software/S1139">INC Ransomware</a> campaigns have used spearphishing emails for initial access.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024."data-reference="SentinelOne INC Ransomware"><sup><a href="https://www.sentinelone.com/anthology/inc-ransom/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S1073"> S1073 </a> </td> <td> <a href="/software/S1073"> Royal </a> </td> <td> <p><a href="/software/S1073">Royal</a> has been spread through the use of phishing campaigns including "call back phishing" where victims are lured into calling a number provided through email.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023."data-reference="Cybereason Royal December 2022"><sup><a href="https://www.cybereason.com/blog/royal-ransomware-analysis" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023."data-reference="Kroll Royal Deep Dive February 2023"><sup><a href="https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a></sup></span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="CISA. (2023, March 2). #StopRansomware: Royal Ransomware. Retrieved March 31, 2023."data-reference="CISA Royal AA23-061A March 2023"><sup><a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a></sup></span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/mitigations/M1049"> M1049 </a> </td> <td> <a href="/mitigations/M1049"> Antivirus/Antimalware </a> </td> <td> <p>Anti-virus can automatically quarantine suspicious files.</p> </td> </tr> <tr> <td> <a href="/mitigations/M1047"> M1047 </a> </td> <td> <a href="/mitigations/M1047"> Audit </a> </td> <td> <p>Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.</p> </td> </tr> <tr> <td> <a href="/mitigations/M1031"> M1031 </a> </td> <td> <a href="/mitigations/M1031"> Network Intrusion Prevention </a> </td> <td> <p>Network intrusion prevention systems and systems designed to scan and remove malicious email attachments or links can be used to block activity.</p> </td> </tr> <tr> <td> <a href="/mitigations/M1021"> M1021 </a> </td> <td> <a href="/mitigations/M1021"> Restrict Web-Based Content </a> </td> <td> <p>Determine if certain websites or attachment types (ex: .scr, .exe, .pif, .cpl, etc.) that can be used for phishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.</p> </td> </tr> <tr> <td> <a href="/mitigations/M1054"> M1054 </a> </td> <td> <a href="/mitigations/M1054"> Software Configuration </a> </td> <td> <p>Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020."data-reference="Microsoft Anti Spoofing"><sup><a href="https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a></sup></span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020."data-reference="ACSC Email Spoofing"><sup><a href="https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/mitigations/M1017"> M1017 </a> </td> <td> <a href="/mitigations/M1017"> User Training </a> </td> <td> <p>Users can be trained to identify social engineering techniques and phishing emails.</p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="detection">Detection</h2> <div class="tables-mobile"> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0015"> <td> <a href="/datasources/DS0015">DS0015</a> </td> <td class="nowrap"> <a href="/datasources/DS0015">Application Log</a> </td>  <td> <a href="/datasources/DS0015/#Application%20Log%20Content">Application Log Content</a> </td> <td> <p>Monitor for third-party application logging, messaging, and/or other artifacts that may send phishing messages to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020."data-reference="Microsoft Anti Spoofing"><sup><a href="https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a></sup></span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020."data-reference="ACSC Email Spoofing"><sup><a href="https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a></sup></span> URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.</p><p>Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events.</p> </td> </tr> <tr class="datasource" id="uses-DS0022"> <td> <a href="/datasources/DS0022">DS0022</a> </td> <td class="nowrap"> <a href="/datasources/DS0022">File</a> </td>  <td> <a href="/datasources/DS0022/#File%20Creation">File Creation</a> </td> <td> <p>Monitor for newly constructed files from a phishing messages to gain access to victim systems.</p> </td> </tr> <tr class="datasource" id="uses-DS0029"> <td> <a href="/datasources/DS0029">DS0029</a> </td> <td class="nowrap"> <a href="/datasources/DS0029">Network Traffic</a> </td>  <td> <a href="/datasources/DS0029/#Network%20Traffic%20Content">Network Traffic Content</a> </td> <td> <p>Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020."data-reference="Microsoft Anti Spoofing"><sup><a href="https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a></sup></span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020."data-reference="ACSC Email Spoofing"><sup><a href="https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a></sup></span></p> </td> </tr> <tr class="datacomponent datasource" id="uses-DS0029-Network Traffic Flow"> <td></td> <td></td> <td> <a href="/datasources/DS0029/#Network%20Traffic%20Flow">Network Traffic Flow</a> </td> <td> <p>Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.</p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/" target="_blank"> Microsoft. (2023, September 22). Malicious OAuth applications abuse cloud email services to spread spam. Retrieved March 13, 2023. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/" target="_blank"> Vicky Ray and Rob Downs. (2014, October 29). Examining a VBA-Initiated Infostealer Campaign. Retrieved March 13, 2023. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://www.proofpoint.com/us/threat-reference/email-spoofing" target="_blank"> Proofpoint. (n.d.). What Is Email Spoofing?. Retrieved February 24, 2023. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends" target="_blank"> Itkin, Liora. (2022, September 1). Double-bounced attacks with email spoofing . Retrieved February 24, 2023. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/" target="_blank"> Brian Krebs. (2024, March 28). Thread Hijacking: Phishes That Prey on Your Curiosity. Retrieved September 27, 2024. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://blog.sygnia.co/luna-moth-false-subscription-scams" target="_blank"> Oren Biderman, Tomer Lahiyani, Noam Lifshitz, Ori Porag. (n.d.). LUNA MOTH: THE THREAT ACTORS BEHIND RECENT FALSE SUBSCRIPTION SCAMS. Retrieved February 2, 2023. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://www.cisa.gov/uscert/ncas/alerts/aa23-025a" target="_blank"> CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring and Management Software. Retrieved February 2, 2023. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/" target="_blank"> Kristopher Russo. (n.d.). Luna Moth Callback Phishing Campaign. Retrieved February 2, 2023. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="http://blogs.cisco.com/security/talos/threat-spotlight-group-72" target="_blank"> Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="10.0"> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf" target="_blank"> Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://www.secureworks.com/research/revil-sodinokibi-ransomware" target="_blank"> Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://socradar.io/dark-web-profile-inc-ransom/" target="_blank"> SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://www.sentinelone.com/anthology/inc-ransom/" target="_blank"> SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://www.cybereason.com/blog/royal-ransomware-analysis" target="_blank"> Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive" target="_blank"> Iacono, L. and Green, S. (2023, February 13). Royal Ransomware Deep Dive. Retrieved March 30, 2023. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a" target="_blank"> CISA. (2023, March 2). #StopRansomware: Royal Ransomware. Retrieved March 31, 2023. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide" target="_blank"> Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" target="_blank"> Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script>  <script src="/theme/scripts/resizer.js"></script>  <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-techniques.js"></script> <script src="/theme/scripts/sidebar-load-all.js"></script> </body> </html>

CINXE.COM

Phishing, Technique T1566 - Enterprise | MITRE ATT&CK®