T1566 - Phishing
| Revised Date | Comment |
|---|---|
| 19.10.2024 | Added section on conditional access |
Introduction
In this chapter, we will take a look at MITRE ATT&CK Technique T1566 - Phishing. This technique describes a method used by adversaries to deceive users into disclosing sensitive information, such as credentials, or executing harmful actions, such as downloading malware. These deceptive messages are typically sent via email but can also be delivered through social media, text messages, and other communication platforms.
T1566 is placed under the Initial Access tactic, which means this technique is employed to gain access to target systems. This by tricking users into taking actions that compromise their security. T1566 has three central sub-techniques that will will be central for the discussion in this chapter:
| ID | Sub-technique | Description |
|---|---|---|
| T1566.001 | Phishing: Spearphishing Attachment | Involves sending emails containing malicious attachments, such as executable files or macro-enabled documents, that infect the victim’s system upon opening. |
| T1566.002 | Phishing: Spearphishing Link | This sub-technique involves sending emails with links that direct recipients to malicious websites or downloads, such as payloads hosted on Dropbox or Google Drive. The aim is to trick users into visiting compromised sites where their credentials can be harvested or malware can be downloaded. |
| T1566.003 | Phishing: Spearphishing via Service | Refers to phishing attempts made through third-party services like social media platforms, business applications, or cloud services (e.g., phishing via LinkedIn messages, Microsoft Teams, or Slack). |
Additionally, there is a fourth sub-technique, T1566.004, which involves using voice messages to conduct phishing attempts; however, this technique falls outside the scope of our current discussion. I have yet to stumble across this - I reckon it is just a matter of time before I do.
Common Goals of Phishing
If we look into T1566 we easily see that this technique and its sub-techniques has some overall goals in common:
| Goal | Description |
|---|---|
| Credential Harvesting | Attackers aim to trick users into revealing their credentials (e.g., usernames and passwords) by directing them to a fake login page or a malicious website that appears legitimate. |
| Malware Delivery | Phishing is frequently utilized to distribute malicious payloads through links or attachments, including ransomware, spyware, and other forms of malware. |
| Gaining Access | Successful phishing campaigns can grant attackers initial access to a target network or system, enabling further malicious activities like lateral movement or data exfiltration. |
Field Observations
Every week alerts chimes that users has given away their credentials due to phishing. Every single time the SOC analysts invalides users sessions, resets their password and on occasion their MFA as well, depending on case. This is all routine. However, this is all reactive. The proactive (threat hunting) side kicks in when we sit down to backtrack the event time line to find if there has been more foul action and possibly to identiy which campaign is currently hitting us. From this work we notice a few things that has changed in the threat landscape. External parties has also notices a change.
A report from Abnormal Security (Aug 15, 2024) reveals a 350% increase in phishing attacks using file-sharing services over the past year. The financial sector is the most targeted, accounting for 10% of these attacks, leveraging well-known platforms like Gmail and Dropbox to exploit user trust. The report also highlights a 50% rise in traditional business email compromise (BEC) attacks. To combat these threats, organizations are urged to enhance email security, adopt AI-driven solutions, and provide ongoing employee training to recognize fraudulent communications.
This aligns with my observations that phishing campaigns are now mainly using known internet based services to deliver phishing campaigns, involving Gmail, Dropbox and the alike. And of course through breached e-mails accounts. However, our traditonal tell-tale with typo-squatting and similar techniques appears heavily reduced. Even our tell-tale signs with bad sentences and poor grammar is almost long gone too.
The language and wordings used in phishing attacks is getting better by the minute. We have seen significant improvements, making the attacks more convincing and effective. According to the Proofpoint’s 2023 State of the Phish Report , cybercriminals have refined their techniques, incorporating sophisticated, multi-touch phishing campaigns that involve longer conversations across various personas. This shift indicates that attackers are adapting their strategies to mimic legitimate communications more closely. Hackers are increasingly leveraging artificial intelligence (AI) to enhance the sophistication of their phishing attacks. Reports indicate that generative AI tools are enabling cybercriminals to create highly convincing phishing campaigns that far exceed previous standards in terms of complexity and effectiveness. By utilizing AI, these attackers can analyze extensive datasets to tailor their communications, making them more difficult for users to identify as fraudulent. Both AI-Assisted Phishing Attacks Are on the Rise and examples of AI-Assisted Cyber Attacks can be found here are an interesting read on the topic.
Challenges seen by SOC and Threat Hunters
DKIM, SPF, and DMARC are important methods that help mitigate the risk of phishing attacks by verifying the legitimacy of email senders. DKIM adds a digital signature to emails, ensuring the content has not been tampered with. SPF specifies which servers are authorized to send emails for a particular domain, while DMARC integrates both techniques to provide reporting and enforcement mechanisms. Together, these protocols create a defense against email spoofing and phishing attempts, making it more challenging for malicious actors to impersonate legitimate domains. In Theory.
However, the effectiveness of these methods diminishes when attackers exploit trusted email services like Gmail and Outlook.com to send phishing emails. By using such platforms, attackers can easily bypass DKIM, SPF, and DMARC checks, making their fraudulent messages appear legitimate. This allows them to leverage the high deliverability rates of these established services, complicating detection by security systems (SIEM etc).
Whilst DKIM, SPF, and DMARC are essential tools in the fight against phishing, their effectiveness can be compromised when attackers utilize reputable email services to distribute phishing content. This situation underscores the importance of comprehensive user education and additional security measures to enhance defenses against phishing threats.
This poses yet another challenge, traditionally SOC could black list domains and IP’s associated with phishing campaigns. Those days are mostly gone - how wise would it be to block, say, any incoming emails sent from Gmail? Sadly - from experience I know that some companies are to lazy to invest in a custom domain, thus using a Gmail address.
Anyway, DKIM, SPF, and DMARC are still somewhat relevant - we do still see some emails failing these tests. Thus I repeat what these methods are here:
| Email Authentication Method | Description | Purpose |
|---|---|---|
| DKIM (DomainKeys Identified Mail) | DKIM uses cryptographic signatures to validate that an email message was indeed sent and authorized by the owner of the domain. It attaches a digital signature to the header of the email. | To ensure that the content of the email has not been altered in transit and to verify the sender’s identity, reducing the risk of email spoofing. |
| SPF (Sender Policy Framework) | SPF allows domain owners to specify which mail servers are permitted to send emails on behalf of their domain. This is done by adding a specific DNS record. | To prevent spoofing by verifying that incoming mail from a domain comes from a host authorized by the domain’s administrators, helping to reduce spam and phishing. |
| DMARC (Domain-based Message Authentication, Reporting & Conformance) | DMARC builds on DKIM and SPF by providing a mechanism for email senders to authenticate their emails and receive reports on email authentication failures. | To enhance email authentication, providing a way for senders to protect their domain from unauthorized use and giving receivers information about email delivery and issues. |
Cloud Storage
Security Operations Centers (SOCs) and threat hunters face several challenges when dealing with phishing attacks that utilize cloud storage services instead of traditional email channels. I am kind of painting a doomy picture, aren’t I? Well, we need to discuss some important key challenges in order to come to an conclusion later:
| Challenge | Description |
|---|---|
| Increased Legitimacy | Phishing attacks that use cloud storage services like Google Drive or Dropbox can appear more legitimate to users. Since these platforms are widely trusted and commonly used for file sharing, malicious links hosted on them are less likely to be flagged by security systems, making it easier for attackers to deceive users. You would be surpised to know how many uses Dropbox in corporate even though it is not allowed |
| Bypassing Security Filters | Traditional email security solutions often focus on scanning email content and attachments for phishing indicators. When attackers use links to cloud storage, these links can bypass many email filtering systems that rely on known malicious domains or patterns, leading to lower detection rates. |
| User Behavior and Awareness | Many users may not recognize the risks associated with clicking links to cloud storage. This lack of awareness can lead to higher success rates for phishing attempts, as users are more likely to trust a link pointing to a familiar cloud service than to an unfamiliar or suspicious domain |
| Dynamic Content and Evasion Tactics | Phishing attacks that use cloud storage can be highly dynamic, with attackers frequently changing the content or links in the shared files to evade detection. This adaptability complicates the ability of SOCs to establish effective detection and response protocols |
| Insufficient Reporting Mechanisms | Phishing attempts that leverage cloud storage often lack adequate reporting mechanisms, making it difficult for users to report suspicious activities. Without a clear process for reporting and analyzing these incidents, SOCs may struggle to gather the necessary intelligence to respond effectively |
| Collaboration and Compliance Issues | As organizations increasingly adopt cloud-based collaboration tools, ensuring compliance with security policies becomes more complex. SOCs must balance usability with security, ensuring that protective measures do not hinder legitimate business operations |
The shift towards using cloud storage in phishing attacks presents a range of challenges for SOCs, from increased legitimacy and evasion tactics to user behavior and reporting issues. Addressing these challenges requires a combination of enhanced user education, advanced detection technologies, and comprehensive security policies that adapt to the evolving threat landscape. Blocing domains are still not an option (for the most part). From experience I know, and witnessed, the use of Dropbox and Google Drive to share content in an corporate setting - even though not allowed.
Defenses Against T1566
I have painted a rather dark picture of the situation throughout this text. However there are still mitigations that can be done to lessen the chance of impact from phishing emails. Blocking domains isn’t a viable option, but these are:
| Strategy | Description |
|---|---|
| User Education and Awareness Training | This is perhaps the most important strategy. Conduct regular training sessions to help employees identify phishing attempts, focusing on tactics used by attackers leveraging familiar platforms. |
| Reporting and Incident Response Mechanisms | Make it easy for people to report suspected phishing attempts and implement rapid incident response routines to mitigate damage from successful attacks. |
| Multi-Factor Authentication (MFA) | Implement MFA to add an additional layer of security, preventing unauthorized access even if login credentials are compromised. |
| Integration with Threat Intelligence Feeds | Use threat intelligence to stay updated on the latest phishing trends and proactively block known phishing URLs and domains. |
| Enhanced Email Filtering and Security | Utilize advanced email filtering solutions that incorporate machine learning and threat intelligence to detect potential phishing attempts, even from trusted platforms. This is costly and quite frankly, under maximized. |
| Monitoring and Analyzing User Behavior | Employ User and Entity Behavior Analytics (UEBA) to detect unusual login patterns or actions that may indicate compromised accounts. |
| Enable Conditional Access (or equivalent) | Enable Conditional Access policies in Microsoft Entra or AWS to strengthen your security posture, especially focusing on risk-based access controls. In both platforms, access policies evaluate sign-in requests using identity-driven signals like user or group membership, IP address location, device status, and other contextual factors. These policies help detect and block suspicious sign-ins. Organizations can protect themselves from attacks involving stolen credentials by enforcing controls such as compliant devices, trusted IP addresses (Azure for Microsoft, or Amazon VPC for AWS), or risk-based policies that ensure proper access control. |
In my mind it is important to protect the users first. Educate them, put faith into them - make it easy for them to report suspicious content. Enforce MFA on them to protect their accounts. On the other side, let the SOC and threat hunters have the proper toolset. Times are changing, the toolset has to keep up with time.
Resources
- T1566 - Phishing
- T1566.001 - Phishing: Spearphishing Attachment
- T1566.002 - Phishing: Spearphishing Link
- T1566.003 - Phishing: Spearphishing via Service
- Cloudflare: What is DKIM?
- Google Workspace: What is SPF?
- DMARC.org: What is DMARC?
- Proofpoint’s insights on email authentication
- Microsoft’s guide on protecting against phishing
- SANS Institute on Phishing and Cloud Storage
- Proofpoint’s Threat Insights on Cloud Services
- SANS Institute on Email Security
- Proofpoint’s Guide to Phishing Protection
- File hosting services misused for identity phishing