Engage Goals: EGO0001 Expose, EGO0003 Elicit
Engage Approach: EAP0001 Collect, EAP0002 Detect
Engage Actions: EAC0009 Email Manipulation, EAC0015 Information Manipulation
Name of Element: Deceptive Email with Hidden Links
Description of Element:
Goal: To identify attackers actively monitoring email traffic or who have compromised an employee’s account.
Approach: Monitoring interaction with the deceptive email and analyzing attacker behavior. This element involves sending a deceptive email to employees that appears to be legitimate but contains hidden links that are only visible when the email is viewed in a specific way, such as using a particular email client or viewing the email’s source code.
Attackers who attempt to view the hidden links will be identified and their actions will be logged. This information can be used to improve defenses and make it more difficult for attackers to phish employees.
Technical Context:
This element can be combined with other deceptive elements, such as fake websites or deceptive network configurations, to enhance its effectiveness. It aligns with the MITRE ATT&CK technique T1566.001 (Phishing: Spearphishing Attachment).
Other:
This element can be used in conjunction with other deceptive elements, such as a fake landing page, to gather additional information about attackers.