TECHNIQUE T1193
Spearphishing Attachment
Virtually any adversary can send a phishing email with an attachment and nearly everyone has an email address, hence why Spearphishing Attachments are so prominent.
Editors’ note: While the analysis and detection opportunities remain applicable, MITRE has depreciated this technique and this page has not been updated since 2020.
Analysis
Why do adversaries use Spearphishing Attachments?
Given the way we detect threats and map detection logic to ATT&CK, we are not able to effectively distinguish between targeted and scattershot phishing attacks. For the purposes of this report, any phishing attack that relies on a malicious attachment is considered a Spearphishing Attachment, and the subsequent analysis and detection strategies refer to both techniques.
Spearphishing Attachments have been very effective for a long time. Historically, adversaries would embed overtly malicious binaries as attachments in email messages. When the email service providers put controls in place to make that far more difficult, adversaries evolved and adopted other methods, including drive-by downloads, exploiting vulnerabilities, leveraging malicious macros, and embedding payloads in various different file types.
Ultimately, there are many factors that contribute to the popularity of this technique:
- Human psychology—people trust sender information and are inclined to open attachments
- Sending a phishing email costs almost nothing
- Nearly everyone has an email address
- Open-source research can improve targeting and effectiveness
How do adversaries use Spearphishing Attachments?
Adversaries have been embedding macros in Microsoft Office documents and using them to deliver malware since the mid-2000s. The popularity of malicious macros has ebbed and flowed over the years, as drive-by downloads and other malware delivery mechanisms came into and out of prominence. However, macro-based phishing schemes have dominated in recent years, and they’ve become more potent than ever with the aid of malicious scripts and tools such as PowerShell.
We often find malware hidden in a ZIP file to subvert scanning tools that would otherwise block malicious attachments at the perimeter. Qbot, for example, uses a VBS file that masquerades as a Word document hidden in a ZIP file for its initial infection vector.
Improvements in email interfaces, filtering, and other technologies have made it more difficult to launch successful phishing attacks. However, there is no simple technical fix for phishing. Prevention remains highly dependent on educational efforts, training, and behavioral change.
Sighted with
As we mentioned in the PowerShell section of this report, Spearphishing Attachments often occur in tandem with PowerShell (T1086). In fact, the two techniques occur together more frequently than Spearphishing Attachment occurs on its own. We also observe it in tandem with Command Line Interface (T1059), because PowerShell and Scripting activity manifests on the command line, and User Execution (T1204), as Spearphishing Attachments routinely require user interaction.
Definition
Detection
MITRE’s data sources
- File monitoring
- Packet capture
- Network intrusion detection system
- Detonation chamber
- Email gateway
- Mail server
Collection requirements
Process monitoring
In addition to those listed by MITRE ATT&CK, process monitoring is another valid data source for observing Spearphishing Attachments. Security teams should monitor process activity taking place around the time that an email is read for evidence of attachments executing malicious code.
Email gateways
Email gateways provide an easy and comprehensive way to filter received emails—effectively in real time—based on filenames, email size, sender information, subject lines, text within the email, and several other parameters. Email gateways can be tuned with rules that quarantine, delete, or forward potentially suspicious email messages—based on any or all of the attributes above.
Mail servers
Similar to the email gateway solutions, mail servers hold a historic archive of sent and received email messages for a given domain. System administrators can use the mail server to access user emails or block senders, to name a couple of actions.
Detonation chamber
A detonation chamber allows organizations to safely execute the code stored in malicious attachments in a controlled environment, mitigating the risk of infection. Although this defensive measure is effective against most varieties of Spearphishing Attachments, adversaries can delay execution or stop it altogether when the malicious code is detonated in a virtual environment.
Detection suggestions
Spearphishing attacks frequently use Microsoft Office products to execute shell binaries on a victim’s endpoint. In order to detect this behavior, consider using an EDR platform to monitor suspicious processes spawning from Office documents. Some examples of processes spawning from malicious attachments include:
- Windows Scripting Host (wscript.exe or cscript.exe)
- Command Processor (cmd.exe)
- PowerShell (powershell.exe) to execute code
It’s also worthwhile to monitor your environment for uncommon email attachment types, such as:
- Extensions associated with legacy Office documents (e.g., DOC instead of DOCX)
- Attachments with unknown file extensions that are capable of executing code or mounting disks (e.g., ISO or IMG)
- Archive file attachments not common within your organization (e.g., RAR or ACE)
Sender Policy Framework (SPF) records allow domain owners to publish a list of IP addresses that are authorized to send emails on the organization’s behalf. Security teams can reliably detect certain spoofing actions by comparing information from emails received to this list and flagging emails that come from unusual IP addresses.
Lastly, unsolicited emails received from an external sender—particularly those that are sent outside of normal business hours—should be flagged as suspicious.
While generally a good practice for smaller and medium-sized organizations, mail server-based security controls can be unmanageable for large organizations that send and receive tens of thousands of emails on a daily basis.
Weeding out false positives
Detonation chambers, file monitoring, and packet capture solutions are effective at inspecting attachments and identifying executables in different ways. However, they frequently flag legitimate communications between users who are exchanging benign executables.
Testing
Start testing your defenses against Spearphishing Attachment using Atomic Red Team—an open source testing framework of small, highly portable detection tests mapped to MITRE ATT&CK.
Getting started
View Atomic tests for T1193: Spearphishing Attachment. In most environments, these should be sufficient to generate a useful signal for defenders.
Run this test on a Windows system using PowerShell:
if (-not(Test-Path HKLM:SOFTWARE\Classes\Excel.Application)){
return 'Please install Microsoft Excel before running this test.'
}
else{
$url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/bin/PhishingAttachment.xlsm'
$fileName = 'PhishingAttachment.xlsm'
New-Item -Type File -Force -Path $fileName | out-null
$wc = New-Object System.Net.WebClient
$wc.Encoding = [System.Text.Encoding]::UTF8
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
($wc.DownloadString("$url")) | Out-File $fileName
}
Useful telemetry will include:
Data sources | Telemetry |
---|---|
Data sources: Process monitoring | Telemetry: Child processes of excel.exe |
Data sources: Network connection | Telemetry: Established from a child process below Excel |
Review and repeat
Now that you have executed one or several common tests and checked for the expected results, it’s useful to answer some immediate questions:
- Were any of your actions detected?
- Were any of your actions blocked or prevented
- Were your actions visible in logs or other defensive telemetry?
Repeat this process, performing additional tests related to this technique. You can also create and contribute tests of your own.