adpare
103 lines
8.6 KiB
JSON
103 lines
8.6 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--d70744fc-8f94-4d62-8ae6-b58d70b19da6",
|
|
"spec_version": "2.0",
|
|
"objects": [
|
|
{
|
|
"type": "attack-pattern",
|
|
"id": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7",
|
|
"created": "2020-03-02T19:15:44.182Z",
|
|
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"revoked": false,
|
|
"external_references": [
|
|
{
|
|
"source_name": "mitre-attack",
|
|
"url": "https://attack.mitre.org/techniques/T1566/002",
|
|
"external_id": "T1566.002"
|
|
},
|
|
{
|
|
"source_name": "ACSC Email Spoofing",
|
|
"description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.",
|
|
"url": "https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf"
|
|
},
|
|
{
|
|
"source_name": "CISA IDN ST05-016",
|
|
"description": "CISA. (2019, September 27). Security Tip (ST05-016): Understanding Internationalized Domain Names. Retrieved October 20, 2020.",
|
|
"url": "https://us-cert.cisa.gov/ncas/tips/ST05-016"
|
|
},
|
|
{
|
|
"source_name": "Trend Micro Pawn Storm OAuth 2017",
|
|
"description": "Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019.",
|
|
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks"
|
|
},
|
|
{
|
|
"source_name": "Netskope Device Code Phishing 2021",
|
|
"description": "Jenko Hwong. (2021, August 10). New Phishing Attacks Exploiting OAuth Authorization Flows (Part 1). Retrieved March 19, 2024.",
|
|
"url": "https://www.netskope.com/blog/new-phishing-attacks-exploiting-oauth-authorization-flows-part-1"
|
|
},
|
|
{
|
|
"source_name": "Microsoft OAuth 2.0 Consent Phishing 2021",
|
|
"description": "Microsoft 365 Defender Threat Intelligence Team. (2021, June 14). Microsoft delivers comprehensive solution to battle rise in consent phishing emails. Retrieved December 13, 2021.",
|
|
"url": "https://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/"
|
|
},
|
|
{
|
|
"source_name": "Microsoft Anti Spoofing",
|
|
"description": "Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.",
|
|
"url": "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide"
|
|
},
|
|
{
|
|
"source_name": "Mandiant URL Obfuscation 2023",
|
|
"description": "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.",
|
|
"url": "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse"
|
|
},
|
|
{
|
|
"source_name": "Optiv Device Code Phishing 2021",
|
|
"description": "Optiv. (2021, August 17). Microsoft 365 OAuth Device Code Flow and Phishing. Retrieved March 19, 2024.",
|
|
"url": "https://www.optiv.com/insights/source-zero/blog/microsoft-365-oauth-device-code-flow-and-phishing"
|
|
},
|
|
{
|
|
"source_name": "SecureWorks Device Code Phishing 2021",
|
|
"description": "SecureWorks Counter Threat Unit Research Team. (2021, June 3). OAuth\u2019S Device Code Flow Abused in Phishing Attacks. Retrieved March 19, 2024.",
|
|
"url": "https://www.secureworks.com/blog/oauths-device-code-flow-abused-in-phishing-attacks"
|
|
}
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
|
],
|
|
"modified": "2025-10-24T17:48:34.123Z",
|
|
"name": "Spearphishing Link",
|
|
"description": "Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place.\n\nAdversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an \"IDN homograph attack\").(Citation: CISA IDN ST05-016) URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an \u201c@\u201d symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)\n\nAdversaries may also utilize links to perform consent phishing/spearphishing campaigns to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s that grant immediate access to the victim environment. For example, a user may be lured into granting adversaries permissions/access via a malicious OAuth 2.0 request URL that when accepted by the user provide permissions/access for malicious applications.(Citation: Trend Micro Pawn Storm OAuth 2017)(Citation: Microsoft OAuth 2.0 Consent Phishing 2021) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls.(Citation: Microsoft OAuth 2.0 Consent Phishing 2021)\n\nSimilarly, malicious links may also target device-based authorization, such as OAuth 2.0 device authorization grant flow which is typically used to authenticate devices without UIs/browsers. Known as \u201cdevice code phishing,\u201d an adversary may send a link that directs the victim to a malicious authorization page where the user is tricked into entering a code/credentials that produces a device token.(Citation: SecureWorks Device Code Phishing 2021)(Citation: Netskope Device Code Phishing 2021)(Citation: Optiv Device Code Phishing 2021)",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "mitre-attack",
|
|
"phase_name": "initial-access"
|
|
}
|
|
],
|
|
"x_mitre_attack_spec_version": "3.2.0",
|
|
"x_mitre_contributors": [
|
|
"Philip Winther",
|
|
"Shailesh Tiwary (Indian Army)",
|
|
"Mark Wee",
|
|
"Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)",
|
|
"Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)",
|
|
"Kobi Haimovich, CardinalOps",
|
|
"Menachem Goldstein"
|
|
],
|
|
"x_mitre_deprecated": false,
|
|
"x_mitre_domains": [
|
|
"enterprise-attack"
|
|
],
|
|
"x_mitre_is_subtechnique": true,
|
|
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"x_mitre_platforms": [
|
|
"Identity Provider",
|
|
"Linux",
|
|
"macOS",
|
|
"Office Suite",
|
|
"SaaS",
|
|
"Windows"
|
|
],
|
|
"x_mitre_version": "2.8"
|
|
}
|
|
]
|
|
} |