Name:
Threat Hunting Scenario: Phishing with Tycoon 2FA
TTP:
T1566.002 Phishing: Spearphishing Link
Hypothesis:
Attackers are using the Tycoon 2FA phishing kit to steal user credentials and bypass multifactor authentication.
Campaign Type:
TTP Driven
Data Sources:
- Email logs
- Network traffic logs
- Web server logs
Tools:
- Tool for creating believable email
- Tool for email sending and tracking
- Tool for creating fake login page
- Tool for capturing credentials
- Tool for bypassing 2FA
Scenario:
Initial Access: Attacker sends a phishing email to the victim.
Execution: The victim clicks on the link in the email and is taken to a fake login page.
Exfiltration: The victim enters their credentials on the fake login page, which are then captured by the attacker.
Impact: The attacker can use the captured credentials to access the victim’s account and data.
Hunting Strategy:
- Analyze email logs for phishing emails.
- Analyze network traffic logs for connections to known Tycoon 2FA infrastructure.
- Analyze web server logs for requests to fake login pages.
- Correlate events from different data sources to identify potential phishing attacks.
- Investigate suspicious emails and login attempts.
- Remediate phishing attacks by blocking malicious emails and websites.
- Educate users about phishing attacks and how to avoid them.
Recommendations:
- Implement email filtering to block phishing emails.
- Implement web filtering to block access to known phishing websites.
- Implement multifactor authentication to protect user accounts.
- Educate users about phishing attacks and how to avoid them.
False Positive Consideration:
- Legitimate emails that contain links
- Legitimate login attempts
D3 Diagram:
### D3 Diagram (Spearphishing Link) **T1566.002 - Phishing: Spearphishing Link** [Implementation of T1566 - Phishing] **Implementations** 1. Malicious link delivered via email 2. Malicious link shared through a social media post 3. Malicious link sent via an SMS message 4. Malicious link shared through a messaging application 5. Malicious link embedded in a malicious document or file 6. Malicious link hosted on a compromised website 7. Malicious link delivered through a watering hole attack **Observables** | Observable | Value | Robustness Level | Rationale | |---|---|---|---| | Email Subject | Varies | Level 1: Ephemeral Values | Easily modified by the attacker | | Email Sender | Varies | Level 1: Ephemeral Values | Easily spoofed or modified | | Link URL | Varies | Level 2: Core to Adversary-Brought Tool or Outside Boundary | Specific to the attacker's infrastructure but can be changed | | Link Content | Varies | Level 1: Ephemeral Values | Easily modified by the attacker | | Social Media Post Title | Varies | Level 1: Ephemeral Values | Easily modified by the attacker | | Social Media Post Author | Varies | Level 2: Core to Adversary-Brought Tool or Outside Boundary | Specific to the attacker's account but can be changed | | SMS Message Sender | Varies | Level 1: Ephemeral Values | Easily spoofed or modified | | Document/File Content | Varies | Level 2: Core to Adversary-Brought Tool or Outside Boundary | Specific to the attacker's tools but can be modified | | Website Content | Varies | Level 2: Core to Adversary-Brought Tool or Outside Boundary | Specific to the compromised website but can be changed | **Scoring Notes** * Observables related to the delivery mechanism (email, social media, SMS) are generally ephemeral as the attacker can easily modify them. * The content of the link itself is also ephemeral. * The presence of a malicious link, regardless of the specific URL, is core to the technique but may not be observable depending on the data sources available. * The specific URL of the malicious link is specific to the attacker's infrastructure but can be changed, placing it at Level 2. * For some implementations, such as embedding the link in a malicious document or hosting it on a compromised website, the content of the document or website may be more robust, potentially reaching Level 3 or 4 if it contains specific attacker tools or infrastructure.