
The ChatGPT Impersonation Phishing Campaign: Unmasking a Global Threat to Businesses
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1598.001 Phishing for Information: Spearphishing Service
ID | Data Source | Data Component | Detects |
Monitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts).Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. | |||
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). | |||
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
T1586.002 Compromise Accounts: Email Accounts
Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Phishing).
T1566.001 Phishing: Spearphishing Attachment
ID | Data Source | Data Component | Detects |
Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[269][270] Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.[271] | |||
Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. | |||
Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[269][270] | |||
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
T1566.002 – Spearphishing Link
ID | Mitigation | Description |
Audit applications and their permissions to ensure access to data and resources are limited based upon necessity and principle of least privilege. | ||
Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk. | ||
Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.[125][126]. Furthermore, policies may enforce / install browser extensions that protect against IDN and homograph attacks. | ||
Azure AD Administrators apply limitations upon the ability for users to grant consent to unfamiliar or unverified third-party applications. | ||
Users can be trained to identify social engineering techniques and spearphishing emails with malicious links which includes phishing for consent with OAuth 2.0. Additionally, users may perform visual checks of the domains they visit; however, homographs in ASCII and in IDN domains and URL schema obfuscation may render manual checks difficult. Use email warning banners to alert users when emails contain links from external senders, prompting them to exercise caution and reducing the likelihood of falling victim to spearphishing attacks. Phishing training and other cybersecurity training may raise awareness to check URLs before visiting the sites. |
T1539 Steal Web Session Cookie
ID | Data Source | Data Component | Detects |
Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials to cloud service management consoles. Some cloud providers, such as AWS, provide distinct log events for login attempts to the management console. Analytic 1 - Unexpected access to web session cookies files. (index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName="\AppData\Roaming\\Cookies\" OR ObjectName="\AppData\Local\\Cookies\") OR(index=sysmon sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 TargetObject="\AppData\Roaming\\Cookies\" OR TargetObject="\AppData\Local\\Cookies\") OR(index=os sourcetype="linux_audit" (filepath="/home//.mozilla/firefox/.default-release/cookies.sqlite" OR filepath="/home//.config/google-chrome/Default/Cookies")) OR(index=os sourcetype="macos_secure" file_path="/Users//Library/Application Support/Google/Chrome/Default/Cookies") OR(index=gsuite sourcetype="gsuite:admin" event_name="LOGIN" event_type="cookie_auth") OR(index=o365 sourcetype="o365:management:activity" Operation="UserLoginViaCookie") | |||
Monitor for attempts by programs to inject into or dump browser process memory. Analytic 1 - Unauthorized access or injection into browser processes. (index=security sourcetype="WinEventLog:Security" EventCode=4688 OR EventCode=4663) OR(index=sysmon sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 OR EventCode=10) OR(index=os sourcetype="linux_secure" action="execve" OR action="ptrace") OR(index=os sourcetype="macos_secure" event_type="execve" OR event_type="ptrace") OR(index=gsuite sourcetype="gsuite:admin" event_name="LOGIN" event_type="cookie_auth") OR(index=o365 sourcetype="o365:management:activity" Operation="UserLoginViaCookie") |
T1110.004 Brute Force: Credential Stuffing
ID | Data Source | Data Component | Detects |
Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.[8] | |||
Monitor for many failed authentication attempts across various accounts that may result from credential stuffing attempts.[8] Analytic 1 - Multiple failed logon attempts across different accounts, especially using commonly used passwords. (index=security sourcetype="WinEventLog:Security" EventCode IN (4625, 5379)) OR(index=os sourcetype="linux_secure" message="Failed password") OR(index=os sourcetype="macos_secure" message="Failed to authenticate user") | where match(Password, "(?i)(Password123|Password1|123456|12345678|qwerty|abc123|letmein|welcome|monkey|admin|login|pass|guest|root)") |
T1041 Exfiltration Over C2 Channel
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may steal data by exfiltrating it over an existing command and control channel. | |||
Monitor for suspicious files (i.e. .pdf, .docx, .jpg, etc.) viewed in isolation that may steal data by exfiltrating it over an existing command and control channel. | |||
Monitor for newly constructed network connections that are sent or received by untrusted hosts. Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on TCP network connection creation. | |||
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). | |||
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |