Skip to content

Latest commit

 

History

History
42 lines (33 loc) · 2.52 KB

T1566.002_Spearphishing_Link.md

File metadata and controls

42 lines (33 loc) · 2.52 KB
Raw

Spearphishing Link [T1566.002]

Instead of sending files into an organization where they can be scrutinized by a corporate mail filter, some adversaries send emails that only contain links. These links lead to websites that are controlled by the attacker, and attempt to dupe the user into:

  • Entering credentials that the attacker harvest
  • Exploiting a vulnerability in the user’s browser
  • Downloading a file to exploit another application on the user’s device

Corelight Sensors have a package that can log links from SMTP messages into a separate log, the smtp_links log. This log contains a fuid field, which links the smtp_links log to the smtp log. You can quickly pivot to the smtp log with the details about the message that delivered the malicious link. For example:

path: smtp_links
fuid: FhahXA1eJ32gHvNP27
id.orig_h: 172.16.0.10
id.orig_p: 62345
id.resp_h: 10.0.1.10
id.resp_p: 25,
link: http://www.hamsterwaffle.com/dl.php?id=jimmydean37
uid: C62txO1FHoJFJpsgP1

path: smtp
from: Your Friend <[email protected]>
fuids: [ "FhahXA1eJ32gHvNP27" ]
mailfrom: [email protected]
rcptto: [ "[email protected]" ]
subject: Click this link, please
to: [ "[email protected]" ]
uid: C62txO1FHoJFJpsgP1
user_agent: Apple Mail (2.3608.80.23.2.2)

To hunt for spearphishing links, start with the smtp_links log and review the link field, filtering out benign domains until you get interesting results. Another option is to join the smtp_links log to the smtp log via the fuids or uid field, and filter out benign combinations of mailfrom and from fields to look for messages from unique senders.

Much of the mail that crosses the internet today is encrypted via STARTTLS over the SMTP protocol, and this hinders visibility. To achieve better visibility without sacrificing privacy and security for your users, it is a best practice to accept inbound SMTP at a system that supports STARTTLS, then proxy the mail to the internal mail system, so that a Corelight solution can generate the corresponding logs.

Sigma Queries for Hunting

Name URL
SMTP Email containing NON Ascii Characters within the Subject https://tdm.socprime.com/tdm/info/Djkv9tlWqKsB
Multiple Clients to HTTP Using Unicode Host via HTTP - Possible Multiple Phishing Attempts https://tdm.socprime.com/tdm/info/FETLsj6dcdmU
Links in SMTP Messages (Overview Query) ./T1566.002-links-in-smtp-messages-overview-query.yml