MITRE’s data sources
- File monitoring
- Packet capture
- Network intrusion detection system
- Detonation chamber
- Email gateway
- Mail server
In addition to those listed by MITRE ATT&CK, process monitoring is another valid data source for observing Spearphishing Attachments. Security teams should monitor process activity taking place around the time that an email is read for evidence of attachments executing malicious code.
Email gateways provide an easy and comprehensive way to filter received emails—effectively in real time—based on filenames, email size, sender information, subject lines, text within the email, and several other parameters. Email gateways can be tuned with rules that quarantine, delete, or forward potentially suspicious email messages—based on any or all of the attributes above.
Similar to the email gateway solutions, mail servers hold a historic archive of sent and received email messages for a given domain. System administrators can use the mail server to access user emails or block senders, to name a couple of actions.
A detonation chamber allows organizations to safely execute the code stored in malicious attachments in a controlled environment, mitigating the risk of infection. Although this defensive measure is effective against most varieties of Spearphishing Attachments, adversaries can delay execution or stop it altogether when the malicious code is detonated in a virtual environment.
Spearphishing attacks frequently use Microsoft Office products to execute shell binaries on a victim’s endpoint. In order to detect this behavior, consider using an EDR platform to monitor suspicious processes spawning from Office documents. Some examples of processes spawning from malicious attachments include:
- Windows Scripting Host (wscript.exe or cscript.exe)
- Command Processor (cmd.exe)
- PowerShell (powershell.exe) to execute code
It’s also worthwhile to monitor your environment for uncommon email attachment types, such as:
- Extensions associated with legacy Office documents (e.g., DOC instead of DOCX)
- Attachments with unknown file extensions that are capable of executing code or mounting disks (e.g., ISO or IMG)
- Archive file attachments not common within your organization (e.g., RAR or ACE)
Sender Policy Framework (SPF) records allow domain owners to publish a list of IP addresses that are authorized to send emails on the organization’s behalf. Security teams can reliably detect certain spoofing actions by comparing information from emails received to this list and flagging emails that come from unusual IP addresses.
Lastly, unsolicited emails received from an external sender—particularly those that are sent outside of normal business hours—should be flagged as suspicious.
While generally a good practice for smaller and medium-sized organizations, mail server-based security controls can be unmanageable for large organizations that send and receive tens of thousands of emails on a daily basis.
Weeding out false positives
Detonation chambers, file monitoring, and packet capture solutions are effective at inspecting attachments and identifying executables in different ways. However, they frequently flag legitimate communications between users who are exchanging benign executables.