Description
Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.
All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.(Citation: Lookout Dark Caracal Jan 2018) These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.
A common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.
Platforms
Mitigations (5)
User TrainingM1017
Users can be trained to identify social engineering techniques and spearphishing messages with malicious links.
User Account ManagementM1018
Enforce strict user account management policies on third-party service accounts to control access and limit privileges. Configure accounts with the minimum permissions necessary to perform their roles and regularly review access levels. This minimizes the risk of adversaries exploiting service accounts to execute spearphishing attacks or gain unauthorized access to sensitive resources.
Antivirus/AntimalwareM1049
Anti-virus can also automatically quarantine suspicious files.
Restrict Web-Based ContentM1021
Determine if certain social media sites, personal webmail services, or other service that can be used for spearphishing is necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
AuditM1047
Implement auditing and logging for interactions with third-party messaging services or collaboration platforms. Monitor user activity and review logs for signs of suspicious links, downloads, or file exchanges that could indicate spearphishing attempts. Effective auditing allows for the quick identification of malicious activity originating from compromised service accounts.
Threat Groups (14)
| ID | Group | Context |
|---|---|---|
| G1012 | CURIUM | [CURIUM](https://attack.mitre.org/groups/G1012) has used social media to deliver malicious files to victims.(Citation: Microsoft Iranian Threat Actor ... |
| G0112 | Windshift | [Windshift](https://attack.mitre.org/groups/G0112) has used fake personas on social media to engage and target victims.(Citation: SANS Windshift Augus... |
| G0130 | Ajax Security Team | [Ajax Security Team](https://attack.mitre.org/groups/G0130) has used various social media channels to spearphish victims.(Citation: FireEye Operation ... |
| G1011 | EXOTIC LILY | [EXOTIC LILY](https://attack.mitre.org/groups/G1011) has used the e-mail notification features of legitimate file sharing services for spearphishing.(... |
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has used fake job advertisements and messages sent via social media to spearphish target... |
| G1022 | ToddyCat | [ToddyCat](https://attack.mitre.org/groups/G1022) has sent loaders configured to run [Ninja](https://attack.mitre.org/software/S1100) as zip archives ... |
| G0037 | FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has used fake job advertisements sent via LinkedIn to spearphish targets.(Citation: Security Intelligenc... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used the legitimate mailing service Constant Contact to send phishing e-mails.(Citation: MSTIC NOBE... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used LinkedIn to send spearphishing links.(Citation: FireEye APT34 July 2019) |
| G0070 | Dark Caracal | [Dark Caracal](https://attack.mitre.org/groups/G0070) spearphished victims via Facebook and Whatsapp.(Citation: Lookout Dark Caracal Jan 2018) |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has used social media platforms, including LinkedIn and Twitter, to send spearphishing messages... |
| G1046 | Storm-1811 | [Storm-1811](https://attack.mitre.org/groups/G1046) has used Microsoft Teams to send messages and initiate voice calls to victims posing as IT support... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) used various social media channels (such as LinkedIn) as well as messaging services (such as What... |
| G1036 | Moonstone Sleet | [Moonstone Sleet](https://attack.mitre.org/groups/G1036) has used social media services to spear phish victims to deliver trojainized software.(Citati... |
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S1100 | Ninja | Malware | [Ninja](https://attack.mitre.org/software/S1100) has been distributed to victims via the messaging app Telegram.(Citation: Kaspersky ToddyCat June 202... |
References
Frequently Asked Questions
What is T1566.003 (Spearphishing via Service)?
T1566.003 is a MITRE ATT&CK technique named 'Spearphishing via Service'. It belongs to the Initial Access tactic(s). Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different f...
How can T1566.003 be detected?
Detection of T1566.003 (Spearphishing via Service) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1566.003?
There are 5 documented mitigations for T1566.003. Key mitigations include: User Training, User Account Management, Antivirus/Antimalware, Restrict Web-Based Content, Audit.
Which threat groups use T1566.003?
Known threat groups using T1566.003 include: CURIUM, Windshift, Ajax Security Team, EXOTIC LILY, Contagious Interview, ToddyCat, FIN6, APT29.