T1566.001 · initial-access · 80 actors · 13 correlated reports

Spearphishing Attachment

Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source. There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.

Open detection, hunting, mitigation, and evidence workspace

Detection logic

Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the attachment is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution or usage of malicious scripts. Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.

Observed actors

APT38
G0082 Elderwood
G0066 SideCopy
G1008 Kimsuky
G0094 EXOTIC LILY
G1011 admin@338
G0018 Patchwork
G0040 APT41
G0096 Dragonfly
G0035 Gorgon Group
G0078 menuPass
G0045 APT32
G0050 MuddyWater
G0069 Naikon
G0019 FIN6
G0037 Gamaredon Group
G0047 Gallmaker
G0084 FIN7
G0046 Sandworm Team
G0034 Machete
G0095 Andariel
G0138 CURIUM
G1012 Sidewinder
G0121 Mustang Panda
G0129 APT39
G0087 TA2541
G1018 APT37
G0067 OilRig
G0049 Higaisa
G0126 Tropic Trooper
G0081 TA459
G0062 Ferocious Kitten
G0137 The White Company
G0089 Saint Bear
G1031 APT1
G0006 DarkHydrus
G0079 Confucius
G0142 BlackTech
G0098 Leviathan
G0065 Winter Vivern
G1035 Turla
G0010 TA505
G0092 BITTER
G1002 RedCurl
G1039 Mofang
G0103 APT29
G0016 BRONZE BUTLER
G0060 TA551
G0127 Star Blizzard
G1033 Darkhotel
G0012 Ember Bear
G1003 LazyScripter
G0140 Windshift
G0112 APT28
G0007 Malteiro
G1026 RTM
G0048 APT12
G0005 APT-C-36
G0099 Tonto Team
G0131 Lazarus Group
G0032 FIN4
G0085 Silence
G0091 Cobalt Group
G0080 Wizard Spider
G0102 Molerats
G0021 Transparent Tribe
G0134 IndigoZebra
G0136 Moonstone Sleet
G1036 Inception
G0100 APT30
G0013 Rancor
G0075 WIRTE
G0090 PLATINUM
G0068 Magic Hound
G0059 Ajax Security Team
G0130 Threat Group-3390
G0027 APT33
G0064 FIN8
G0061 APT19
G0073 Nomadic Octopus
G0133

Correlated CTI and IR reports

APT39 G0087
MITRE ATT&CK · direct source mapping TA402 Targets Middle East Entities with IronWind Malware
Proofpoint · direct source mapping APT39 (Chafer / Remix Kitten)
Israel Threat Actors CTI · explicit report mention ATT&CK as a Working Tool: Theory and Hands-On Practical Usage
1200km CTI repository · explicit report mention CTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mention CTI Research: MuddyWater / Seedworm (Mango Sandstorm)
1200km CTI repository · explicit report mention Executive Summary
Israel Threat Actors CTI · explicit report mention From Threat Intelligence to Detection: A Practitioner's Guide
1200km CTI repository · explicit report mention OilRig (APT34 / Helix Kitten / Earth Simnavaz etc)
Israel Threat Actors CTI · explicit report mention ATT CK as a Working Tool Theory and Hands On Practical Usage
1200km Medium · authored report mention CTI Research MuddyWater Seedworm Mango Sandstorm
1200km Medium · authored report mention Correlation Based Detection Rules in Cybersecurity From Atomic Events to Behavioral Insight
1200km Medium · authored report mention From Threat Intelligence to Detection A Practitioner s Guide
1200km Medium · authored report mention

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research