Description
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging User Execution. The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place.
Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack").(Citation: CISA IDN ST05-016) URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, hxxp://google.com@1157586937.(Citation: Mandiant URL Obfuscation 2023)
Adversaries may also utilize links to perform consent phishing/spearphishing campaigns to Steal Application Access Tokens that grant immediate access to the victim environment. For example, a user may be lured into granting adversaries permissions/access via a malicious OAuth 2.0 request URL that when accepted by the user provide permissions/access for malicious applications.(Citation: Trend Micro Pawn Storm OAuth 2017)(Citation: Microsoft OAuth 2.0 Consent Phishing 2021) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls.(Citation: Microsoft OAuth 2.0 Consent Phishing 2021)
Similarly, malicious links may also target device-based authorization, such as OAuth 2.0 device authorization grant flow which is typically used to authenticate devices without UIs/browsers. Known as “device code phishing,” an adversary may send a link that directs the victim to a malicious authorization page where the user is tricked into entering a code/credentials that produces a device token.(Citation: SecureWorks Device Code Phishing 2021)(Citation: Netskope Device Code Phishing 2021)(Citation: Optiv Device Code Phishing 2021)
Platforms
Mitigations (5)
Software ConfigurationM1054
Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation
Restrict Web-Based ContentM1021
Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
AuditM1047
Audit applications and their permissions to ensure access to data and resources are limited based upon necessity and principle of least privilege.
User Account ManagementM1018
Azure AD Administrators apply limitations upon the ability for users to grant consent to unfamiliar or unverified third-party applications.
User TrainingM1017
Users can be trained to identify social engineering techniques and spearphishing emails with malicious links which includes phishing for consent with OAuth 2.0. Additionally, users may perform visual checks of the domains they visit; however, homographs in ASCII and in IDN domains and URL schema obfuscation may render manual checks difficult. Use email warning banners to alert users when emails co
Threat Groups (46)
| ID | Group | Context |
|---|---|---|
| G0098 | BlackTech | [BlackTech](https://attack.mitre.org/groups/G0098) has used spearphishing e-mails with links to cloud services to deliver malware.(Citation: TrendMicr... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has sent targeted spearphishing e-mails with malicious links.(Citation: Anomali Static Kitten Febr... |
| G1014 | LuminousMoth | [LuminousMoth](https://attack.mitre.org/groups/G1014) has sent spearphishing emails containing a malicious Dropbox download link.(Citation: Kaspersky ... |
| G1054 | MirrorFace | [MirrorFace](https://attack.mitre.org/groups/G1054) has embedded OneDrive URLs in emails leading to malicious file installation.(Citation: Trend Micro... |
| G0142 | Confucius | [Confucius](https://attack.mitre.org/groups/G0142) has sent malicious links to victims through email campaigns.(Citation: TrendMicro Confucius APT Aug... |
| G0103 | Mofang | [Mofang](https://attack.mitre.org/groups/G0103) delivered spearphishing emails with malicious links included.(Citation: FOX-IT May 2016 Mofang) |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has sent spearphishing emails containing a link to a document that contained malicious macros or took... |
| G0121 | Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has sent e-mails with malicious links often crafted for specific targets.(Citation: ATT Sidewinder... |
| G0066 | Elderwood | [Elderwood](https://attack.mitre.org/groups/G0066) has delivered zero-day exploits and malware to victims via targeted emails containing a link to mal... |
| G0095 | Machete | [Machete](https://attack.mitre.org/groups/G0095) has sent phishing emails that contain a link to an external server with ZIP and RAR archives.(Citatio... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has conducted broad phishing campaigns using malicious links.(Citation: CrowdStrike Carbon Spider August... |
| G1020 | Mustard Tempest | [Mustard Tempest](https://attack.mitre.org/groups/G1020) has sent victims emails containing links to compromised websites.(Citation: SocGholish-update... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has crafted phishing emails containing malicious hyperlinks.(Citation: US District Court Indict... |
| G0134 | Transparent Tribe | [Transparent Tribe](https://attack.mitre.org/groups/G0134) has embedded links to malicious downloads in e-mails.(Citation: Talos Oblique RAT March 202... |
| G0120 | Evilnum | [Evilnum](https://attack.mitre.org/groups/G0120) has sent spearphishing emails containing a link to a zip file hosted on Google Drive.(Citation: ESET ... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has delivered malicious links to their intended targets.(Citation: IBM MUSTANG PANDA PUBLOAD CL... |
| G0061 | FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has distributed targeted emails containing links to malicious documents with embedded macros.(Citation: ... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) has sent spearphishing emails containing malicious links.(Citation: ESET OceanLotus)(Citation: Cybereas... |
| G0022 | APT3 | [APT3](https://attack.mitre.org/groups/G0022) has sent spearphishing emails containing malicious links.(Citation: FireEye Clandestine Wolf) |
| G0006 | APT1 | [APT1](https://attack.mitre.org/groups/G0006) has sent spearphishing emails containing hyperlinks to malicious files.(Citation: Mandiant APT1) |
Associated Software (30)
| ID | Name | Type | Context |
|---|---|---|---|
| S0585 | Kerrdown | Malware | [Kerrdown](https://attack.mitre.org/software/S0585) has been distributed via e-mails containing a malicious link.(Citation: Amnesty Intl. Ocean Lotus ... |
| S0561 | GuLoader | Malware | [GuLoader](https://attack.mitre.org/software/S0561) has been spread in phishing campaigns using malicious web links.(Citation: Unit 42 NETWIRE April 2... |
| S1017 | OutSteel | Malware | [OutSteel](https://attack.mitre.org/software/S1017) has been distributed through malicious links contained within spearphishing emails.(Citation: Palo... |
| S0669 | KOCTOPUS | Malware | [KOCTOPUS](https://attack.mitre.org/software/S0669) has been distributed as a malicious link within an email.(Citation: MalwareBytes LazyScripter Feb ... |
| S9026 | ROAMINGHOUSE | Malware | [ROAMINGHOUSE](https://attack.mitre.org/software/S9026) has been distributed through phishing emails containing malicious OneDrive links.(Citation: Tr... |
| S0528 | Javali | Malware | [Javali](https://attack.mitre.org/software/S0528) has been delivered via malicious links embedded in e-mails.(Citation: Securelist Brazilian Banking M... |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) is distributed in phishing emails containing links to distribute malicious VBS or MSI files.(Citat... |
| S1030 | Squirrelwaffle | Malware | [Squirrelwaffle](https://attack.mitre.org/software/S1030) has been distributed through phishing emails containing a malicious URL.(Citation: ZScaler S... |
| S0584 | AppleJeus | Malware | [AppleJeus](https://attack.mitre.org/software/S0584) has been distributed via spearphishing link.(Citation: CISA AppleJeus Feb 2021) |
| S1242 | Qilin | Malware | [Qilin](https://attack.mitre.org/software/S1242) has been delivered via malicious links in spearphishing emails.(Citation: SentinelOne Qilin NOV 2022)... |
| S0367 | Emotet | Malware | [Emotet](https://attack.mitre.org/software/S0367) has been delivered by phishing emails containing links. (Citation: Trend Micro Banking Malware Jan 2... |
| S1122 | Mispadu | Malware | [Mispadu](https://attack.mitre.org/software/S1122) has been spread via malicious links embedded in emails.(Citation: SCILabs Malteiro 2021) |
| S0646 | SpicyOmelette | Malware | [SpicyOmelette](https://attack.mitre.org/software/S0646) has been distributed via emails containing a malicious link that appears to be a PDF document... |
| S0453 | Pony | Malware | [Pony](https://attack.mitre.org/software/S0453) has been delivered via spearphishing emails which contained malicious links.(Citation: Malwarebytes Po... |
| S1018 | Saint Bot | Malware | [Saint Bot](https://attack.mitre.org/software/S1018) has been distributed through malicious links contained within spearphishing emails.(Citation: Pal... |
| S0677 | AADInternals | Tool | [AADInternals](https://attack.mitre.org/software/S0677) can send "consent phishing" emails containing malicious links designed to steal users’ access ... |
| S1039 | Bumblebee | Malware | [Bumblebee](https://attack.mitre.org/software/S1039) has been spread through e-mail campaigns with malicious links.(Citation: Proofpoint Bumblebee Apr... |
| S0266 | TrickBot | Malware | [TrickBot](https://attack.mitre.org/software/S0266) has been delivered via malicious links in phishing e-mails.(Citation: Cyberreason Anchor December ... |
| S1124 | SocGholish | Malware | [SocGholish](https://attack.mitre.org/software/S1124) has been spread via emails containing malicious links.(Citation: SocGholish-update) |
| S0198 | NETWIRE | Malware | [NETWIRE](https://attack.mitre.org/software/S0198) has been spread via e-mail campaigns utilizing malicious links.(Citation: Unit 42 NETWIRE April 202... |
References
- Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.
- CISA. (2019, September 27). Security Tip (ST05-016): Understanding Internationalized Domain Names. Retrieved October 20, 2020.
- Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019.
- Jenko Hwong. (2021, August 10). New Phishing Attacks Exploiting OAuth Authorization Flows (Part 1). Retrieved March 19, 2024.
- Microsoft 365 Defender Threat Intelligence Team. (2021, June 14). Microsoft delivers comprehensive solution to battle rise in consent phishing emails. Retrieved December 13, 2021.
- Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
- Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.
- Optiv. (2021, August 17). Microsoft 365 OAuth Device Code Flow and Phishing. Retrieved March 19, 2024.
- SecureWorks Counter Threat Unit Research Team. (2021, June 3). OAuth’S Device Code Flow Abused in Phishing Attacks. Retrieved March 19, 2024.
Frequently Asked Questions
What is T1566.002 (Spearphishing Link)?
T1566.002 is a MITRE ATT&CK technique named 'Spearphishing Link'. It belongs to the Initial Access tactic(s). Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from o...
How can T1566.002 be detected?
Detection of T1566.002 (Spearphishing Link) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1566.002?
There are 5 documented mitigations for T1566.002. Key mitigations include: Software Configuration, Restrict Web-Based Content, Audit, User Account Management, User Training.
Which threat groups use T1566.002?
Known threat groups using T1566.002 include: BlackTech, MuddyWater, LuminousMoth, MirrorFace, Confucius, Mofang, Kimsuky, Sidewinder.