Subject: EU Phishing Campaign
Tactics: TA0001 Initial Access
Technique: T1566.001 Phishing: Spearphishing Attachment
Procedure:
The threat actors utilized phishing emails with attached PDF documents or embedded HTML links. These emails targeted European companies and organizations, aiming to harvest account credentials and take over the victim’s Microsoft Azure cloud infrastructure.
Vulnerability: EAV0001 When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time., EAV0004 When adversaries use phishing emails to gain access to victim systems, they have no control over where a malicious attachment is detonated from, or where a link is clicked., EAV0007 When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence.
Engagement Opportunity:
Deploy a decoy email server and create realistic-looking emails that mimic those used in the campaign. Monitor for any interaction with these emails and attachments, such as opening the email, clicking on links, or attempting to open the attachments. This provides an opportunity to engage with the adversary, gather intelligence on their tactics, and potentially disrupt their operations.
Threat Actor: Unknown, potentially sophisticated and organized group targeting multiple organizations.
Threat Objective:
To harvest account credentials and take over the victim’s Microsoft Azure cloud infrastructure.
Deception Opportunity:
Create a fake Outlook Web App (OWA) login page that mimics the one used in the campaign. Monitor for any login attempts on this decoy page, which could reveal the adversary’s presence and their intent to steal credentials.
Sensor Data Placement: Application
Observable Level: Core to Some Implementations of (Sub-)Technique
Scoring Rationale:
Phishing emails with malicious attachments or links are a common tactic used in various cyberattacks. While not all phishing attacks use this method, it is prevalent enough to be considered a core implementation of this sub-technique.
Link to Report:
Link to Report II.:
Additional Comments:
Organizations should implement robust email security measures, user awareness training, and multi-factor authentication to mitigate the risk of such phishing attacks.
Possible elements: Deceptive User Behavior Patterns, Honeypot MS Exchange, Privileged User Account Decoy
MSG (Pseudocode):
# Malicious Sub-Graph Standard
# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])
# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])
# Example: Phishing Campaign Attack Graph
[1]: Initial Access [TA0001] - Phishing [T1566]: Spearphishing Attachment [T1566.001] - Deliver phishing emails with PDF attachments or HTML links (Core to Some Implementations of (Sub-)Technique)
[2]: Command and Control [TA0011] - Application Layer Protocol [T1071]: Web Protocols [T1071.001] - Redirect victims to fake OWA login page (Lack of User Awareness)
[3]: Credential Access [TA0006] - Input Capture [T1056]: Keylogging [T1056.001] - Capture victim's credentials on the fake OWA login page (Lack of User Awareness)
[4]: Persistence [TA0003] - Valid Accounts [T1078]: Domain Accounts [T1078.002] - Use stolen credentials to gain access to victim's Azure infrastructure (Lack of Network Monitoring)
1 --> 2
2 --> 3
3 --> 4
# Pseudocode Standard
# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]
# Example: Phishing Campaign Pseudocode
function Initial_Access_Phishing(target_email):
# Craft phishing email with PDF attachment or HTML link
# Send email to target_email
return phishing_link
function Command_and_Control_Application_Layer_Protocol(phishing_link):
# Redirect victim to fake OWA login page
return fake_owa_page
function Credential_Access_Input_Capture(fake_owa_page):
# Capture victim's credentials on the fake OWA login page
return stolen_credentials
function Persistence_Valid_Accounts(stolen_credentials):
# Use stolen credentials to gain access to victim's Azure infrastructure
return success