TECHNIQUE T1193

Spearphishing Attachment

Virtually any adversary can send a phishing email with an attachment and nearly everyone has an email address, hence why Spearphishing Attachments are so prominent.

20

Overall Rank

22%

Organizations affected

286

Confirmed threats

Analysis

Falling from 13th in 2018 to 20th in 2019, Spearphishing Attachment decreased both in terms of customers affected and percent of total threat volume.

Why do adversaries use Spearphishing Attachments?

Given the way we detect threats and map detection logic to ATT&CK, we are not able to effectively distinguish between targeted and scattershot phishing attacks. For the purposes of this report, any phishing attack that relies on a malicious attachment is considered a Spearphishing Attachment, and the subsequent analysis and detection strategies refer to both techniques.

Spearphishing Attachments have been very effective for a long time. Historically, adversaries would embed overtly malicious binaries as attachments in email messages. When the email service providers put controls in place to make that far more difficult, adversaries evolved and adopted other methods, including drive-by downloads, exploiting vulnerabilities, leveraging malicious macros, and embedding payloads in various different file types.

Ultimately, there are many factors that contribute to the popularity of this technique:

  • Human psychology—people trust sender information and are inclined to open attachments
  • Sending a phishing email costs almost nothing
  • Nearly everyone has an email address
  • Open-source research can improve targeting and effectiveness

How do adversaries use Spearphishing Attachments?

Adversaries have been embedding macros in Microsoft Office documents and using them to deliver malware since the mid-2000s. The popularity of malicious macros has ebbed and flowed over the years, as drive-by downloads and other malware delivery mechanisms came into and out of prominence. However, macro-based phishing schemes have dominated in recent years, and they’ve become more potent than ever with the aid of malicious scripts and tools such as PowerShell.

We often find malware hidden in a ZIP file to subvert scanning tools that would otherwise block malicious attachments at the perimeter. Qbot, for example, uses a VBS file that masquerades as a Word document hidden in a ZIP file for its initial infection vector.

Improvements in email interfaces, filtering, and other technologies have made it more difficult to launch successful phishing attacks. However, there is no simple technical fix for phishing. Prevention remains highly dependent on educational efforts, training, and behavioral change.

Sighted with

As we mentioned in the PowerShell section of this report, Spearphishing Attachments often occur in tandem with PowerShell (T1086). In fact, the two techniques occur together more frequently than Spearphishing Attachment occurs on its own. We also observe it in tandem with Command Line Interface (T1059), because PowerShell and Scripting activity manifests on the command line, and User Execution (T1204), as Spearphishing Attachments routinely require user interaction.

Definition

Detection

MITRE’s data sources

  • File monitoring
  • Packet capture
  • Network intrusion detection system
  • Detonation chamber
  • Email gateway
  • Mail server

Collection requirements

Process monitoring

In addition to those listed by MITRE ATT&CK, process monitoring is another valid data source for observing Spearphishing Attachments. Security teams should monitor process activity taking place around the time that an email is read for evidence of attachments executing malicious code.

Email gateways

Email gateways provide an easy and comprehensive way to filter received emails—effectively in real time—based on filenames, email size, sender information, subject lines, text within the email, and several other parameters. Email gateways can be tuned with rules that quarantine, delete, or forward potentially suspicious email messages—based on any or all of the attributes above.

Mail servers

Similar to the email gateway solutions, mail servers hold a historic archive of sent and received email messages for a given domain. System administrators can use the mail server to access user emails or block senders, to name a couple of actions.

Detonation chamber

A detonation chamber allows organizations to safely execute the code stored in malicious attachments in a controlled environment, mitigating the risk of infection. Although this defensive measure is effective against most varieties of Spearphishing Attachments, adversaries can delay execution or stop it altogether when the malicious code is detonated in a virtual environment.

Detection suggestions

Spearphishing attacks frequently use Microsoft Office products to execute shell binaries on a victim’s endpoint. In order to detect this behavior, consider using an EDR platform to monitor suspicious processes spawning from Office documents. Some examples of processes spawning from malicious attachments include:

  • Windows Scripting Host (wscript.exe or cscript.exe)
  • Command Processor (cmd.exe)
  • PowerShell (powershell.exe) to execute code

It’s also worthwhile to monitor your environment for uncommon email attachment types, such as:

  • Extensions associated with legacy Office documents (e.g., DOC instead of DOCX)
  • Attachments with unknown file extensions that are capable of executing code or mounting disks (e.g., ISO or IMG)
  • Archive file attachments not common within your organization (e.g., RAR or ACE)

Sender Policy Framework (SPF) records allow domain owners to publish a list of IP addresses that are authorized to send emails on the organization’s behalf. Security teams can reliably detect certain spoofing actions by comparing information from emails received to this list and flagging emails that come from unusual IP addresses.

Lastly, unsolicited emails received from an external sender—particularly those that are sent outside of normal business hours—should be flagged as suspicious.

While generally a good practice for smaller and medium-sized organizations, mail server-based security controls can be unmanageable for large organizations that send and receive tens of thousands of emails on a daily basis.

Weeding out false positives

Detonation chambers, file monitoring, and packet capture solutions are effective at inspecting attachments and identifying executables in different ways. However, they frequently flag legitimate communications between users who are exchanging benign executables.

Ernesto Lleras
Detection Engineer
The detection strategies in this section were brought to you by Ernesto Lleras! Ernesto relentlessly investigates customer environments for evidence of malicious behavior. Before joining Red Canary, he worked as a cybersecurity analyst for a regional bank.
The detection strategies in this section were brought to you by Ernesto Lleras! Ernesto relentlessly investigates customer environments for evidence of malicious behavior. Before joining Red Canary, he worked as a cybersecurity analyst for a regional bank.