SOC Incident Toolkit
Back to Campaigns
Archipelago Hide Office Documents and Cover Up Sneak Campaign With Recon Shark

Archipelago Hide Office Documents and Cover Up Sneak Campaign With Recon Shark

APT43KimsukyRecon SharkArchipelagoBlack BansheeThallium

The North Korean state sponsored threat actor known as Kimsuky has been discovered using a new reconnaissance tool called ReconShark as part of an ongoing global campaign

Indicators of Compromise

Domains (898)

navernnail.comfoward.viewpropile.p-e.krwvw3.secure-edit.n-e.kryulsohnyonsei.atwewbpages.comnaver.o-r.krmc.pzs.krw3.secure-edit.n-e.krwww1.quickedit.o-r.krk-bank.o-r.krkbank.o-r.krheungkukfire.p-e.krobjshell.rung1790.rt14v.comgoooglesecurity.comdashboard.quikveoriy.o-r.kr3.supports.o-r.krnaver65.n-e.krgonamod.comtos.p-e.krdmengineer.co.kr+878 more

Hashes (6136)

364801240ed176e73a257ee86f573a2264027ecd185bc3037314ec2dbd6591ad72cf08b4303243e4a8bf71cbb208d608277ab25241ecbd1a0b8930a68c27ab03b0d4d8aee8311bde458b459de78e18ec0c6fbca7087c9124e576955e5bb257df3d3254aa75ae786fe89491dc57509801c212fa8bdeaafdd4b289443261e18b244eafb5772c73cf2356a9005850fb2d07d024b2f28735788b2422c7ab910953178af57376cba56f43c1ef32c43f7fc5e2ac368cdce51fc9cb16696d9f58a7809988336d55db505a93bf41074e39bb3abbe4e4640401e7e65532dda97cab8876215d771e398dd10f846a435e2aab6dce39d626eacb39fc964967e35e94abf513da0f6511ab7b1f826e47674b2ada8586acaf34065ff4cf788aa871511ef8abae9f103a3dfe77b12b6d8d28e28c1ee6f133441b6d71f7f8bcba85847cad7f57db4534634d51f7e2c74a23719fcf74c891872d98e7c921f0fd565498c3eb2fb335aadcaf6c5d60560c5d2525997ba6af39b191f6092cb70a3aa6596251e844abdaa77eeca905f0cb7677d9f2acfed7ede76f110334e2c572b74e+6116 more

IPv4 (1668)

49.1.1.1123.106.122.16210.16.120.212172.104.112.214194.31.98.133112.175.85.24380.66.76.22212.193.30.228170.39.185.242116.75.196.13890.249.106.6459.93.25.3580.89.230.4279.134.225.3290.219.22.23117.201.194.131111.92.118.56194.87.146.179193.124.57.10034.129.5.173+1648 more

CVEs (9)

CVE-2022-27638CVE-2022-0609CVE-2021-34527CVE-2022-34271CVE-2022-37042CVE-2017-0199CVE-2021-4034CVE-2022-27925CVE-2020-9715

APT Groups

Kimsuky

Notes

<b><font>Introduction:</font></b><div><font>According to our analysis; Kimsuky is an advanced persistent threat (APT) organization originating from North Korea. They have focused on their histories of targeted attacks globally and on information gathering and espionage activities on behalf of the North Korean government.</font><div><div><b><font>Latest Campaigns:</font></b></div><div><font>According to our analysis, Kimsuky's recent campaigns have focused on geopolitical concerns such as nuclear agendas and conflicts. This demonstrates their adaptability and ability to leverage current events for their operations.</font></div></div></div><div><div><b><font>Malware: BabyShark and ReconShark:</font></b></div><div><font>In this analysis, we covered the BabyShark malware distributed by Kimsuky in 2018. Next, we introduced ReconShark as an advanced component of BabyShark, highlighting its exploration capabilities. ReconShark; collects information about infected systems, including processes, battery information, and endpoint threat detection measures. It also distributes overhead using scripts, macro-enabled Office templates, and DLLs.</font></div></div><div><font><div style="font-weight: bold;">Spear-Phishing Techniques:</div><div style="">Kimsuky's targeting strategy includes carefully designed spear phishing emails. The analysis explains that these emails are customized for specific people using the right formatting, language and visual cues to look authentic. They use the names of real people, such as political scientists, to increase the chances of recipients opening emails.</div><div style=""><div><b>Using Microsoft OneDrive:</b></div><div>The analysis states that Kimsuky began hosting infected documents on Microsoft OneDrive, a popular cloud storage service. This demonstrates their ability to adapt to and exploit platforms commonly used for the distribution of their malicious content.</div><div><div><b>Avoidance Techniques:</b></div><div>To avoid detection, ReconShark uses simple encryption for some sequences, making it difficult for static analysis methods to identify malicious behavior. Kimsuky's infrastructure is hosted on shared servers provided by NameCheap, and they often use LiteSpeed ​​Web Server (LSWS) to manage their malicious operations.</div></div><div><br></div><div><br></div></div></font></div>

Mitigation

<div><b><font>Spearphishing Attachment</font></b></div><div><font>Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution and access. [1]</font></div><div><font><br></font></div><div><font>A Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012, targeted ONG organizations and their employees. The emails were constructed with a high level of sophistication to convince employees to open the malicious file attachments. [2]</font></div><div><div style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0.5rem; line-height: 1.2; color: rgb(57, 67, 76); letter-spacing: normal; padding-top: 1rem !important;"><font style=""><b>Procedure Examples</b></font></div><table class="table table-bordered table-alternate mt-2" style="box-sizing: border-box; border-collapse: collapse; width: 1367.25px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide; font-family: Roboto-Regular, sans-serif; font-size: 16px; margin-top: 0.5rem !important; background-color: rgb(242, 242, 242) !important;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box;"><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">ID</th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Name</th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Description</th></tr></thead><tbody style="box-sizing: border-box; background: white; color: rgb(57, 67, 76);"><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/groups/G1000" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>G1000</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/groups/G1000" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>ALLANITE</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G1000" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">ALLANITE</a>&nbsp;utilized spear phishing to gain access into energy sector environments.&nbsp;<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.eisac.com/public-news-detail?id=115909" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/groups/G0064" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>G0064</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/groups/G0064" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>APT33</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0064" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT33</a>&nbsp;sent spear phishing emails containing links to HTML application files, which were embedded with malicious code.&nbsp;<span id="scite-ref-4-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[4]</a></span></span>&nbsp;<a href="https://attack.mitre.org/groups/G0064" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">APT33</a>&nbsp;has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies.&nbsp;<span id="scite-ref-5-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.wired.com/story/iran-hackers-us-phishing-tensions/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[5]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0093" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>S0093</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0093" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Backdoor.Oldrea</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font>The&nbsp;<a href="https://attack.mitre.org/software/S0093" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Backdoor.Oldrea</a>&nbsp;RAT is distributed through a trojanized installer attached to emails.&nbsp;<span id="scite-ref-6-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.f-secure.com/weblog/archives/00002718.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[6]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0089" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>S0089</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0089" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>BlackEnergy</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/software/S0089" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">BlackEnergy</a>&nbsp;targeted energy sector organizations in a wide reaching email spearphishing campaign. Adversaries utilized malicious Microsoft Word documents attachments.&nbsp;<span id="scite-ref-7-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[7]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>G0032</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Lazarus Group</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0032" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Lazarus Group</a>&nbsp;has been observed targeting organizations using spearphishing documents with embedded malicious payloads.&nbsp;<span id="scite-ref-8-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[8]</a></span></span>&nbsp;Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company.&nbsp;<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.securityweek.com/five-threat-groups-target-industrial-systems-dragos" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/groups/G0049" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>G0049</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/groups/G0049" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>OilRig</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0049" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OilRig</a>&nbsp;used spearphishing emails with malicious Microsoft Excel spreadsheet attachments.&nbsp;<span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/groups/G0034" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>G0034</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/groups/G0034" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Sandworm Team</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font>In the Ukraine 2015 incident,&nbsp;<a href="https://attack.mitre.org/groups/G0034" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Sandworm Team</a>&nbsp;sent spearphishing attachments to three energy distribution companies containing malware to gain access to victim systems.&nbsp;<span id="scite-ref-11-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[11]</a></span></span></font></p></td></tr></tbody></table></div><div><div style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0.5rem; line-height: 1.2; color: rgb(57, 67, 76); letter-spacing: normal; padding-top: 1rem !important;"><b style=""><font style="">Mitigations</font></b></div><table class="table table-bordered table-alternate mt-2" style="box-sizing: border-box; border-collapse: collapse; width: 1367.25px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide; font-family: Roboto-Regular, sans-serif; font-size: 16px; margin-top: 0.5rem !important; background-color: rgb(242, 242, 242) !important;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box;"><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">ID</th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Mitigation</th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Description</th></tr></thead><tbody style="box-sizing: border-box; background: white; color: rgb(57, 67, 76);"><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/mitigations/M0949" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>M0949</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/mitigations/M0949" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Antivirus/Antimalware</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font>Deploy anti-virus on all systems that support external email.</font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/mitigations/M0931" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>M0931</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/mitigations/M0931" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Network Intrusion Prevention</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font>Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity.</font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/mitigations/M0921" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>M0921</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/mitigations/M0921" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Restrict Web-Based Content</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font>Consider restricting access to email within critical process environments. Additionally, downloads and attachments may be disabled if email is still necessary.</font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/mitigations/M0917" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>M0917</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/mitigations/M0917" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>User Training</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font>Users can be trained to identify social engineering techniques and spearphishing emails.</font></p></td></tr></tbody></table></div><div><div style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0.5rem; line-height: 1.2; color: rgb(57, 67, 76); letter-spacing: normal; padding-top: 1rem !important;"><b style=""><font style="">Detection</font></b></div><table class="table datasources-table table-bordered" style="box-sizing: border-box; border-collapse: collapse; width: 1367.25px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide; font-family: Roboto-Regular, sans-serif; font-size: 16px;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box; background: rgb(242, 242, 242); border-bottom: 1px solid rgb(223, 223, 223);"><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">ID</th><th class="p-2 nowrap" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem; white-space: nowrap;">Data Source</th><th class="p-2 nowrap" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem; white-space: nowrap;">Data Component</th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Detects</th></tr></thead><tbody style="box-sizing: border-box;"><tr class="datasource" id="uses-DS0015" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/datasources/DS0015" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>DS0015</font></a></td><td class="nowrap" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; white-space: nowrap;"><a href="https://attack.mitre.org/datasources/DS0015" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Application Log</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/datasources/DS0015/#Application%20Log%20Content" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Application Log Content</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font>Monitor mail server and proxy logs for evidence of messages originating from spoofed addresses, including records indicating failed DKIM+SPF validation or mismatched message headers.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span>&nbsp;Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer.</font></p></td></tr><tr class="datasource" id="uses-DS0022" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/datasources/DS0022" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>DS0022</font></a></td><td class="nowrap" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; white-space: nowrap;"><a href="https://attack.mitre.org/datasources/DS0022" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>File</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/datasources/DS0022/#File%20Creation" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>File Creation</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font>Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.</font></p></td></tr><tr class="datasource" id="uses-DS0029" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/datasources/DS0029" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>DS0029</font></a></td><td class="nowrap" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; white-space: nowrap;"><a href="https://attack.mitre.org/datasources/DS0029" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Network Traffic</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/datasources/DS0029/#Network%20Traffic%20Content" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Network Traffic Content</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font>Monitor network traffic for suspicious email attachments. Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Use web proxies to review content of emails including sender information, headers, and attachments for potentially malicious content.</font></p></td></tr><tr class="datasource" id="uses-DS0009" style="box-sizing: border-box; border-bottom: 1px solid rgb(223, 223, 223);"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/datasources/DS0009" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>DS0009</font></a></td><td class="nowrap" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; white-space: nowrap;"><a href="https://attack.mitre.org/datasources/DS0009" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Process</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/datasources/DS0009/#Process%20Creation" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Process Creation</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font>Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.<span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span>&nbsp;For added context on adversary procedures and background see&nbsp;<a href="https://attack.mitre.org/techniques/T1566/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Spearphishing Attachment</a>.</font></p></td></tr></tbody></table></div><div><font><br></font></div>