
Decoding the Spear-Phishing Tactics of SEABORGIUM and TA453 in the UK
SEABORGIUM and TA453 are Russia-based and Iran-based threat actors conducting spear-phishing campaigns targeting organizations and individuals in the U.K. and other areas of interest. They target various sectors, including academia, defense, governmental organizations, and NGOs, using personalized phishing emails to compromise the victims' credentials and gain access to sensitive information.
Indicators of Compromise
Domains (172)
nco2.livegettogether.questcontinuetogo.mecss-ethz.chtinyurl.inkmailer-daemon-message.cocheck.idmailer-daemon.mebnt2.livemailer-daemon.liveprofilepic.sitelocal0.infomailer-daemon.onlinemailer-daemon.orglitby.usmailer-daemon.netmailerdaemon.mede-ma.onlineoffice-updates.infocija-drive.com+152 moreHashes (7)
e3712e3d818e63060e30aec2a6db3598cbf0db92a8c062846411d3fb8ceb0b2fe34389c4910a4887cd39552d30e6a03a02f4cc78b7bc6a853f160df2cc64371467ed866d69eb4fca412201039105d862d5f2bf12085d41cb18a93398afef0be8dfb9c22919d9fbfd9b23d4bd435746a524443f1a962d42fa022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e030cfa58846e43dd67b6d9f29e97f6c53eIPv4 (50)
199.188.200.21766.29.153.9092.205.13.202198.54.115.21794.158.244.11951.195.166.184146.19.230.18292.38.176.6677.91.126.16185.164.172.12877.91.69.10977.91.126.64192.236.195.114138.124.187.143142.11.209.171138.124.187.22245.86.230.19892.38.169.241192.236.193.194185.179.189.43+30 moreEmails (1)
APT Groups
Callisto
Russian Federation
APT42
Iran, Islamic Republic of
Mitigation
<h2 style="box-sizing: border-box; font-weight: 600; font-size: 28px; line-height: normal; letter-spacing: normal; margin: 0px 0px 20px; color: rgb(0, 0, 0); font-family: Poppins; padding: 0px; border: 0px; vertical-align: baseline;">MITRE ATT&CK®</h2><div class="pcf-BodyText" style="box-sizing: border-box; color: rgb(0, 0, 0); font-family: Mazzard; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><p style="box-sizing: border-box; margin: auto auto 1.25em; font-size: inherit; font-family: Poppins; padding: 0px; border: 0px; vertical-align: baseline; line-height: normal; font-stretch: normal;">This report has been compiled with respect to the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.</p><table border="0" style="box-sizing: border-box; font-family: Poppins, sans-serif; font-size: 18px; border-collapse: collapse; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline; border-spacing: 0px; width: 730px;"><tbody style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><tr style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><th style="box-sizing: border-box; text-align: left; margin: auto; padding: 0px 0px 16px; border-width: 0px 0px 3px; border-top-style: initial; border-right-style: initial; border-bottom-style: solid; border-left-style: initial; border-top-color: initial; border-right-color: initial; border-bottom-color: rgb(5, 28, 72); border-left-color: initial; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51); width: 113px;">Tactic</th><th style="box-sizing: border-box; text-align: left; margin: auto; padding: 0px 0px 16px 30px; border-width: 0px 0px 3px; border-top-style: initial; border-right-style: initial; border-bottom-style: solid; border-left-style: initial; border-top-color: initial; border-right-color: initial; border-bottom-color: rgb(5, 28, 72); border-left-color: initial; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51); width: 109.5px;">ID</th><th style="box-sizing: border-box; text-align: left; margin: auto; padding: 0px 0px 16px; border-width: 0px 0px 3px; border-top-style: initial; border-right-style: initial; border-bottom-style: solid; border-left-style: initial; border-top-color: initial; border-right-color: initial; border-bottom-color: rgb(5, 28, 72); border-left-color: initial; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">Technique</th><th style="box-sizing: border-box; text-align: left; margin: auto; padding: 0px 0px 16px 30px; border-width: 0px 0px 3px; border-top-style: initial; border-right-style: initial; border-bottom-style: solid; border-left-style: initial; border-top-color: initial; border-right-color: initial; border-bottom-color: rgb(5, 28, 72); border-left-color: initial; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">Procedure</th></tr><tr style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><td style="box-sizing: border-box; margin: auto; padding: 0px 0px 16px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">Reconnaissance</td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px 16px 30px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);"><a href="https://attack.mitre.org/techniques/T1593/" target="_blank" style="box-sizing: border-box; color: rgb(43, 112, 185); background-color: transparent; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline; font-family: Mazzard !important;">T1593</a></td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">Search Open Websites/Domains</td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px 16px 30px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">SEABORGIUM actors use open source research and social media to identify information about victims to be used in targeting.<br style="box-sizing: border-box; font-family: Mazzard !important; font-size: 11px !important;">TA453 actors likely use professional networking sites and other open source resources to research their targets.</td></tr><tr style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><td style="box-sizing: border-box; margin: auto; padding: 0px 0px 16px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);"><p style="box-sizing: border-box; margin: auto auto 0px; font-size: inherit; color: rgb(104, 104, 104); font-weight: 600; padding: 0px; border-top: none; border-right: 0px; border-bottom: 0px; border-left: 0px; border-image: initial; vertical-align: baseline; line-height: normal; font-stretch: normal; font-family: Mazzard !important;">Reconnaissance</p><p style="box-sizing: border-box; margin: auto auto 0px; font-size: inherit; color: rgb(104, 104, 104); font-weight: 600; padding: 0px; border-top: none; border-right: 0px; border-bottom: 0px; border-left: 0px; border-image: initial; vertical-align: baseline; line-height: normal; font-stretch: normal; font-family: Mazzard !important;"><br style="box-sizing: border-box; font-size: 11px;"></p></td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px 16px 30px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);"><a href="https://attack.mitre.org/techniques/T1589/" target="_blank" style="box-sizing: border-box; color: rgb(43, 112, 185); background-color: transparent; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline; font-family: Mazzard !important;">T1589</a></td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">Gather Victim Identity Information</td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px 16px 30px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">SEABORGIUM and TA453 actors use online data sets and open source resources to gather information about their targets.</td></tr><tr style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><td style="box-sizing: border-box; margin: auto; padding: 0px 0px 16px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">Resource Development</td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px 16px 30px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);"><a href="https://attack.mitre.org/techniques/T1585/001/" target="_blank" style="box-sizing: border-box; color: rgb(43, 112, 185); background-color: transparent; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline; font-family: Mazzard !important;">T1585.001</a></td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">Establish Accounts:<br style="box-sizing: border-box; font-family: Mazzard !important; font-size: 11px !important;">Social Media Accounts</td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px 16px 30px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">SEABORGIUM actors have been observed to establish fraudulent profiles on professional networking sites to conduct reconnaissance.<br style="box-sizing: border-box; font-family: Mazzard !important; font-size: 11px !important;">TA453 actors have been observed to use fraudulent profiles on professional networking and other social media sites to approach their targets.</td></tr><tr style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><td style="box-sizing: border-box; margin: auto; padding: 0px 0px 16px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">Resource Development</td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px 16px 30px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);"><a href="https://attack.mitre.org/techniques/T1585/002/" target="_blank" style="box-sizing: border-box; color: rgb(43, 112, 185); background-color: transparent; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline; font-family: Mazzard !important;">T1585.002</a></td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">Establish Accounts:<br style="box-sizing: border-box; font-family: Mazzard !important; font-size: 11px !important;">Email Accounts</td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px 16px 30px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">SEABORGIUM and TA453 actors register consumer email accounts matching the names of individuals they are impersonating to conduct spear-phishing activity.</td></tr><tr style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><td style="box-sizing: border-box; margin: auto; padding: 0px 0px 16px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">Resource Development</td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px 16px 30px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);"><a href="https://attack.mitre.org/techniques/T1583/001/" target="_blank" style="box-sizing: border-box; color: rgb(43, 112, 185); background-color: transparent; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline; font-family: Mazzard !important;">T1583.001</a></td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">Acquire Infrastructure:<br style="box-sizing: border-box; font-family: Mazzard !important; font-size: 11px !important;">Domains</td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px 16px 30px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">SEABORGIUM actors register domains used to host their phishing framework.<br style="box-sizing: border-box; font-family: Mazzard !important; font-size: 11px !important;">TA453 actors register domains to host fake login pages.</td></tr><tr style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><td style="box-sizing: border-box; margin: auto; padding: 0px 0px 16px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">Resource Development</td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px 16px 30px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);"><a href="https://attack.mitre.org/techniques/T1586/002/" target="_blank" style="box-sizing: border-box; color: rgb(43, 112, 185); background-color: transparent; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline; font-family: Mazzard !important;">T1586.002</a></td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">Compromise Accounts: Email Accounts</td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px 16px 30px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">SEABORGIUM actors have been observed to use compromised victim email accounts to conduct spear-phishing activity against contacts of the original victim.</td></tr><tr style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><td style="box-sizing: border-box; margin: auto; padding: 0px 0px 16px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">Initial Access</td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px 16px 30px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);"><a href="https://attack.mitre.org/techniques/T1078/" target="_blank" style="box-sizing: border-box; color: rgb(43, 112, 185); background-color: transparent; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline; font-family: Mazzard !important;">T1078</a></td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">Valid Accounts</td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px 16px 30px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">SEABORGIUM and TA453 actors use compromised credentials, captured from fake login pages, to log in to valid victim user accounts.</td></tr><tr style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><td style="box-sizing: border-box; margin: auto; padding: 0px 0px 16px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">Initial Access</td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px 16px 30px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);"><a href="https://attack.mitre.org/techniques/T1566/001/" target="_blank" style="box-sizing: border-box; color: rgb(43, 112, 185); background-color: transparent; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline; font-family: Mazzard !important;">T1566.001</a></td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">Phishing: Spear-phishing attachment</td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px 16px 30px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">SEABORGIUM actors use malicious links embedded in an email attachment to direct victims to their credential stealing sites.</td></tr><tr style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><td style="box-sizing: border-box; margin: auto; padding: 0px 0px 16px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">Initial Access</td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px 16px 30px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);"><a href="https://attack.mitre.org/techniques/T1566/002/" target="_blank" style="box-sizing: border-box; color: rgb(43, 112, 185); background-color: transparent; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline; font-family: Mazzard !important;">T1566.002</a></td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">Phishing: Spear-phishing link</td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px 16px 30px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">SEABORGIUM actors send spear-phishing emails with malicious links directly to credential stealing sites, or to documents hosted on a file sharing site which direct victims to credential stealing sites.<br style="box-sizing: border-box; font-family: Mazzard !important; font-size: 11px !important;">TA453 actors send spear-phishing emails with malicious links directly to credential stealing sites and to malware hosted on a file sharing site.</td></tr><tr style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><td style="box-sizing: border-box; margin: auto; padding: 0px 0px 16px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">Collection</td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px 16px 30px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);"><a href="https://attack.mitre.org/techniques/T1114/002/" target="_blank" style="box-sizing: border-box; color: rgb(43, 112, 185); background-color: transparent; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline; font-family: Mazzard !important;">T1114.002</a></td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">Email Collection: Remote Email Collection</td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px 16px 30px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">SEABORGIUM and TA453 actors interact directly with externally facing Exchange services, Office 365, or Google Workspace to access email and steal information using compromised credentials or access tokens.</td></tr><tr style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><td style="box-sizing: border-box; margin: auto; padding: 0px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">Collection</td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px 0px 30px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);"><a href="https://attack.mitre.org/techniques/T1114/003/" target="_blank" style="box-sizing: border-box; color: rgb(43, 112, 185); background-color: transparent; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline; font-family: Mazzard !important;">T1114.003</a></td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px 0px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; font-size: 0.778em; vertical-align: baseline; font-family: Poppins; line-height: normal; color: rgb(51, 51, 51);">Email Collection: Email Forwarding Rule</td><td style="box-sizing: border-box; margin: auto; padding: 16px 0px 0px 30px; border-top: 1px solid rgb(170, 170, 170); border-right: 0px; border-bottom: none; border-left: 0px; border-image: initial; vertical-align: baseline; line-height: normal;"><font color="#333333" style="font-family: Mazzard !important; font-size: 11px !important;"><span style="font-size: 0.778em;">SEABORGIUM actors may abuse email-forwarding rules to monitor the activities of a victim, steal information, and maintain persistent access to victim's emails even after compromised credentials are reset.</span></font><br style="font-family: Mazzard !important; font-size: 11px !important;"><br style="font-family: Mazzard !important; font-size: 11px !important;"><div style="font-family: Mazzard !important; font-size: 11px !important;"><font color="#333333"><span style="font-size: 14.004px;"><br style="font-size: 11px !important;"></span></font></div><div style="font-family: Mazzard !important; font-size: 11px !important;"><font color="#333333"><span style="font-size: 14.004px;"><br style="font-size: 11px !important;"></span></font></div><div style="font-family: Mazzard !important; font-size: 11px !important;"><font color="#333333"><span style="font-size: 14.004px;"><br style="font-size: 11px !important;"></span></font></div></td></tr></tbody></table><div class="pcf-BodyText" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><font color="#000000"><span style="font-size: 18px;"><b>Mitigation</b></span></font></div><div class="pcf-BodyText" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><font color="#000000"><span style="font-size: 18px;"><br></span></font></div><div class="pcf-BodyText" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><font color="#000000"><span style="font-size: 18px;"><b>Use strong passwords</b></span></font></div><div class="pcf-BodyText" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><font color="#000000"><span style="font-size: 18px;">Use a separate password for email accounts and avoid password re-use across multiple services. <a href="https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/use-a-strong-and-separate-password-for-email">See NCSC Guidance.</a></span></font></div><div class="pcf-BodyText" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><br></div><div class="pcf-BodyText" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><font color="#000000"><span style="font-size: 18px;"><b>Use multi-factor authentication</b></span></font></div><div class="pcf-BodyText" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><font color="#000000"><span style="font-size: 18px;">Also known as 2-step verification. Helps reduce the impact of password compromises. <a href="https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services">See NCSC Guidance for organisations</a> and a<a href="https://www.ncsc.gov.uk/guidance/setting-2-step-verification-2sv">dvice for small business, individuals and families</a></span></font></div><div class="pcf-BodyText" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><br></div><div class="pcf-BodyText" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><font color="#000000"><span style="font-size: 18px;"><b>Protect your devices and networks by keeping them up to date</b></span></font></div><div class="pcf-BodyText" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><font color="#000000"><span style="font-size: 18px;">Use the latest supported versions, apply security updates promptly, use antivirus and scan regularly to guard against known malware threats. <a href="https://www.ncsc.gov.uk/collection/device-security-guidance/policies-and-settings/antivirus-and-other-security-software">See NCSC Guidance.</a></span></font></div><div class="pcf-BodyText" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><b><br></b></div><div class="pcf-BodyText" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><font color="#000000"><span style="font-size: 18px;"><b>Exercise vigilance</b></span></font></div><div class="pcf-BodyText" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><font color="#000000"><span style="font-size: 18px;">Spear-phishing emails are tailored to avoid suspicion. You may recognise the sender’s name, but has the email come from an address that you recognise? Would you expect contact from this person’s webmail address rather than their corporate email address? Has the suspicious email come to your personal/webmail address, rather than your corporate one? Can you verify that the email is legitimate via another means?</span></font></div><div class="pcf-BodyText" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><font color="#000000"><span style="font-size: 18px;"><br></span></font></div><div class="pcf-BodyText" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><font color="#000000"><span style="font-size: 18px;">See<a href="https://www.ncsc.gov.uk/guidance/phishing"> NCSC phishing guidance</a>. CPNI’s<a href="https://www.cpni.gov.uk/security-campaigns/think-you-link-tbyl-0"> ‘Think Before You Link’</a> app, can help individuals identify malicious online profiles and reduce the risk of being targeted in the first instance.</span></font></div><div class="pcf-BodyText" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><font color="#000000"><span style="font-size: 18px;"><br></span></font></div><div class="pcf-BodyText" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><font color="#000000"><span style="font-size: 18px;">Enable your email providers’ automated email scanning features</span></font></div><div class="pcf-BodyText" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><font color="#000000"><span style="font-size: 18px;">These are turned on by default for consumer mail providers. <a href="https://www.ncsc.gov.uk/blog-post/telling-users-to-avoid-clicking-bad-links-still-isnt-working">See NCSC advice.</a></span></font></div><div class="pcf-BodyText" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><br></div><div class="pcf-BodyText" style="box-sizing: border-box; margin: 0px; padding: 0px; border: 0px; vertical-align: baseline;"><font color="#000000"><span style="font-size: 18px;">Disable mail-forwarding</span></font></div></div>