# T1566.002 Spearphishing Link

-----------------------------------------------------------------------

## Technique Description

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). 

Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to  [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)

## Technique Detection

URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites as well as links redirecting to adversary infrastructure based by upon suspicious OAuth patterns with unusual TLDs.(Citation: Microsoft OAuth 2.0 Consent Phishing 2021). Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.

Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)

Because this technique usually involves user interaction on the endpoint, many of the possible detections take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs.

-----------------------------------------------------------------------

### Tactics:

  *   Initial-Access

### Platforms:

  * Linux

  * macOS

  * Windows

  * Office 365

  * SaaS

  * Google Workspace

### Data Sources:

  * **Application Log:** Application Log Content

  * **Network Traffic:** Network Traffic Content

  * **Network Traffic:** Network Traffic Flow

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Confucius | [Confucius](https://attack.mitre.org/groups/G0142) has sent malicious links to victims through email campaigns.(Citation: TrendMicro Confucius APT Aug 2021)| 
| LazyScripter | [LazyScripter](https://attack.mitre.org/groups/G0140) has used spam emails that contain a link that redirects the victim to download a malicious document.(Citation: MalwareBytes LazyScripter Feb 2021)| 
| Transparent Tribe | [Transparent Tribe](https://attack.mitre.org/groups/G0134) has embedded links to malicious downloads in e-mails.(Citation: Talos Oblique RAT March 2021)(Citation: Talos Transparent Tribe May 2021)| 
| Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has delivered web bugs and malicious links to their intended targets.(Citation: McAfee Dianxun March 2021)(Citation: Proofpoint TA416 Europe March 2022)| 
| ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has used malicious links and web beacons in e-mails for malware download and to track hits to attacker-controlled URL's.(Citation: Microsoft Targeting Elections September 2020)(Citation: Google Election Threats October 2020)(Citation: Zscaler APT31 Covid-19 October 2020)| 
| Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has sent e-mails with malicious links often crafted for specific targets.(Citation: ATT Sidewinder January 2021)(Citation: Cyble Sidewinder September 2020)| 
| Evilnum | [Evilnum](https://attack.mitre.org/groups/G0120) has sent spearphishing emails containing a link to a zip file hosted on Google Drive.(Citation: ESET EvilNum July 2020)| 
| Windshift | [Windshift](https://attack.mitre.org/groups/G0112) has sent spearphishing emails with links to harvest credentials and deliver malware.(Citation: SANS Windshift August 2018)| 
| Mofang | [Mofang](https://attack.mitre.org/groups/G0103) delivered spearphishing emails with malicious links included.(Citation: FOX-IT May 2016 Mofang)| 
| Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has sent phishing emails containing a link to an actor-controlled Google Drive document or other free online file hosting services.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)| 
| BlackTech | [BlackTech](https://attack.mitre.org/groups/G0098) has used spearphishing e-mails with links to cloud services to deliver malware.(Citation: TrendMicro BlackTech June 2017)| 
| Machete | [Machete](https://attack.mitre.org/groups/G0095) has sent phishing emails that contain a link to an external server with ZIP and RAR archives.(Citation: Cylance Machete Mar 2017)(Citation: ESET Machete July 2019)| 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has sent spearphishing emails containing a link to a document that contained malicious macros or took the victim to an actor-controlled domain.(Citation: EST Kimsuky April 2019)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: KISA Operation Muzabi)| 
| TA505 | [TA505](https://attack.mitre.org/groups/G0092) has sent spearphishing emails containing malicious links.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 Jan 2019)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019)| 
| APT39 | [APT39](https://attack.mitre.org/groups/G0087) leveraged spearphishing emails with malicious links to initially compromise victims.(Citation: FireEye APT39 Jan 2019)(Citation: FBI FLASH APT39 September 2020)| 
| Stolen Pencil | [Stolen Pencil](https://attack.mitre.org/groups/G0086) sent spearphishing emails containing links to domains controlled by the threat actor.(Citation: Netscout Stolen Pencil Dec 2018)| 
| FIN4 | [FIN4](https://attack.mitre.org/groups/G0085) has used spearphishing emails (often sent from compromised accounts) containing malicious links.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)| 
| Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) has sent emails with URLs pointing to malicious documents.(Citation: Talos Cobalt Group July 2018)(Citation: Secureworks GOLD KINGSWOOD September 2018)| 
| Elderwood | [Elderwood](https://attack.mitre.org/groups/G0066) has delivered zero-day exploits and malware to victims via targeted emails containing a link to malicious content hosted on an uncommon Web server.(Citation: Symantec Elderwood Sept 2012)(Citation: CSM Elderwood Sept 2012)| 
| Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has sent spearphishing emails with links, often using a fraudulent lookalike domain and stolen branding.(Citation: Proofpoint Leviathan Oct 2017)(Citation: CISA AA21-200A APT40 July 2021)| 
| MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has sent targeted spearphishing e-mails with malicious links.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)| 
| APT33 | [APT33](https://attack.mitre.org/groups/G0064) has sent spearphishing emails containing links to .hta files.(Citation: FireEye APT33 Sept 2017)(Citation: Symantec Elfin Mar 2019)| 
| FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has distributed targeted emails containing links to malicious documents with embedded macros.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)| 
| Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has sent malicious URL links through email to victims. In some cases the URLs were shortened or linked to Word documents with malicious macros that executed PowerShells scripts to download [Pupy](https://attack.mitre.org/software/S0192).(Citation: Secureworks Cobalt Gypsy Feb 2017)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050) has sent spearphishing emails containing malicious links.(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: FireEye APT32 April 2020)(Citation: Volexity Ocean Lotus November 2020)(Citation: Amnesty Intl. Ocean Lotus February 2021)| 
| OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has sent spearphising emails with malicious links to potential victims.(Citation: Unit 42 OopsIE! Feb 2018)| 
| FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has conducted broad phishing campaigns using malicious links.(Citation: CrowdStrike Carbon Spider August 2021)| 
| Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) has used spearphishing with links to deliver files with exploits to initial victims. The group has also used embedded image tags (known as web bugs) with unique, per-recipient tracking links in their emails for the purpose of identifying which recipients opened messages.(Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)(Citation: Unit 42 BackConfig May 2020)| 
| Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has crafted phishing emails containing malicious hyperlinks.(Citation: US District Court Indictment GRU Unit 74455 October 2020)| 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has sent malicious links to victims via email.(Citation: Kaspersky ThreatNeedle Feb 2021)(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)| 
| APT3 | [APT3](https://attack.mitre.org/groups/G0022) has sent spearphishing emails containing malicious links.(Citation: FireEye Clandestine Wolf)| 
| Molerats | [Molerats](https://attack.mitre.org/groups/G0021) has sent phishing emails with malicious links included.(Citation: Kaspersky MoleRATs April 2019)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.(Citation: Mandiant No Easy Breach)(Citation: MSTIC NOBELIUM May 2021)(Citation: Secureworks IRON RITUAL USAID Phish May 2021)| 
| Night Dragon | [Night Dragon](https://attack.mitre.org/groups/G0014) sent spearphishing emails containing links to compromised websites where malware was downloaded.(Citation: McAfee Night Dragon)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access.(Citation: ESET Turla Mosquito Jan 2018)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) sent spearphishing emails which used a URL-shortener service to masquerade as a legitimate service and to redirect targets to credential harvesting sites.(Citation: DOJ GRU Indictment Jul 2018)(Citation: ESET Zebrocy May 2019)(Citation: US District Court Indictment GRU Oct 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)| 
| APT1 | [APT1](https://attack.mitre.org/groups/G0006) has sent spearphishing emails containing hyperlinks to malicious files.(Citation: Mandiant APT1)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1566/002)

  * [Acsc Email Spoofing](https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf), Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.

  * [Trend Micro Pawn Storm Oauth 2017](https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks), Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019.

  * [Microsoft Oauth 2.0 Consent Phishing 2021](https://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/), Microsoft 365 Defender Threat Intelligence Team. (2021, June 14). Microsoft delivers comprehensive solution to battle rise in consent phishing emails. Retrieved December 13, 2021.

  * [Microsoft Anti Spoofing](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide), Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.

  * [Capec](https://capec.mitre.org/data/definitions/163.html)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 06 July 2022

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, CTR Emily Porras

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Spearphishing involves social engineering and technical deception. Lack of web-based content restrictions and user training can result in a compromised network due to a spearphishing attachment. Furthermore, computer systems/servers must maintain an updated version of antivirus/anti-malware to quarantine any malicious files that are downloaded. Once detection methodologies (i.e. network intrusion detection systems and email gateways) have been established, the compromised organization should identify every employee that received the phishing attachment, employees that clicked on the attachment, isolate any subsets that provided credentials, and look for any misuses of those credentials. In most scenarios our investigation would begin after the initial compromise of a system but the after effects of a user clicking on a malicious link could be investigated.

- Also see T1566.001 - Spearphishing Attachments for more generic queries on email traffic

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT29 | | 1, 2 |

- Turla will trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access.

## Detection Blindspots

- Network Analytic I Web mail and TLS implementation may not allow for inspection of email body and may make network analysis of the SMTP protocol as well as payload. 
- Network Analytic II only detects child processes created by the listed parent processes. Failing to include sufficient parent processes could result in the spawning of malicious child process going undetected.
- Network Analytic III only triggers alerts on anomalous IMAP protocol usage or usage of default PowerShell ports. Any attempts to sidestep this (malicious C2 through another process that does not use IMAP or changes default ports) would not be detected.
- Depending on when in the attack kill chain we are invited onto the MP network we may not see this TTP

## Analytical References

  * [No Easy Breach](https://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016)
  * [Powerduke Post Election Spearphishing Campaign](https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Malicious JavaScript backdoors are typically dropped in %APPDATA%\Microsoft\.

#### Analytic 1

  * **Information:** Identify javascript connections to google hosted web application

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```event_id:3 AND image:*script.google*exec*```

#### Analytic 2

  * **Information:** Detect modified registry values

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```event_id:4657 AND "object name":[*"\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell", *\Microsoft\Windows\CurrentVersion\Run\local_update_check*]```
  
  #### Analytic 3

  * **Information:** Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spearphishing activity.

  * **Source:** sessions*

  * **Tool:** Kibana

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query Kibana:** 
      - `event.action:"Process Create (rule: ProcessCreate)" and process.parent.name:outlook.exe and process.name:(Microsoft.Workflow.Compiler.exe or arp.exe or atbroker.exe or bginfo.exe or
bitsadmin.exe or cdb.exe or certutil.exe or cmd.exe or cmstp.exe or cscript.exe or csi.exe or dnx.exe or dsget.exe or dsquery.exe or forfiles.exe or fsi.exe or
ftp.exe or gpresult.exe or hostname.exe or ieexec.exe or iexpress.exe or installutil.exe or ipconfig.exe or mshta.exe or msxsl.exe or nbtstat.exe or net.exe or
net1.exe or netsh.exe or netstat.exe or nltest.exe or odbcconf.exe or ping.exe or powershell.exe or pwsh.exe or qprocess.exe or quser.exe or qwinsta.exe or
rcsi.exe or reg.exe or regasm.exe or regsvcs.exe or regsvr32.exe or sc.exe or schtasks.exe or systeminfo.exe or tasklist.exe or tracert.exe or whoami.exe or wmic.exe or wscript.exe or xwizard.exe) OR event.category:process and event.type:start and process.parent.name:"outlook.exe"`



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Hunting for spearphishing only illuminates initial entry, not further damage. Past APT 29 intrusions using this method have led to persistence mechanisms such as running registry keys, .LNK files, services, WMI, named scheduled tasks, overwriting legitimate files, etc. which should be independently checked following any indications of spearphishing.
- Additionally, credential misuse should be investigated, stemming from the infected workstation/user outwards.
- MP may access email via the web (i.e., OWA) this may mean that email traffic is encrypted over HTTPS
- Turla malicious links were seen using HTTP exclusively rather than HTTPS.

#### Analytic 1

  * **Information:** Identifies possible malicious links to assist in scoping network traffic for uri's with extensions that have been previously used. 

  * **Source:** PCAP

  * **Tool:** Arkime

  * **Notes:** We would expect a http request to be seen across the network and a possible malicious URL. Extensions can be modified and tailored to the network traffic being observed. To filter out for successful connections to external URLs include the http.status == 200 status code query.

  * **Query Arkime:** `(http.method == "GET" && http.uri == [*.zip, *.rar, *.exe, *.lnk, *.docx, *.pdf]) || protocols == (smtp, imap, pop3)`
  * **Query Kibana:** `http.method: GET AND http.uri:(*.zip OR *.rar OR *.exe OR *.lnk OR *.docx OR *.pdf) OR protocol: smtp AND email.bodyMagic:* AND http.status:200`

------------------------------------------------------------------------------------------------
      
#### Analytic 2

  * **Information:** Identify adobe downloads with malformed referer field

  * **Source:** PCAP, host logs

  * **Tool:** Arkime

  * **Notes:** Export unique list of referer fields.  Should be similar to example:

    - ```http://acrobat.adobe.com/us/en/acrobat/pdf-reader.html```

    - `http://get.adobe.com/reader/?promoid=KSWLH`
    - Adobe urls typically do not include the word "download"

**Adobe urls typically do not include the word "download"

  * **Query:** ```http.uri==*adobe*.exe*```

