内置鱼叉

攻击者可以使用内部骗局来获得其他信息的访问权，或者在他们已经可以访问环境中的帐户或系统之后利用同一组织内的其他用户。内部鱼叉式攻击是一种多阶段攻击，其中通过使用以前安装的恶意软件控制用户的设备或破坏用户的帐户凭据来拥有电子邮件帐户。攻击者试图利用可信任的内部帐户来增加诱骗目标使其陷入网络钓鱼尝试的可能性。

攻击者可以将鱼叉(T1193)式钓鱼附件(T1193)或鱼叉式(T1192)钓鱼链接(T1192)作为内部鱼叉式(T1192)钓鱼的一部分来传递有效负载或重定向到外部站点，以通过模仿电子邮件登录界面的站点上的输入捕获(T1056)来捕获凭据。

曾发生过使用内部鱼叉式鱼雷的显着事件。“ Eye Pyramid”使用带有恶意附件的网络钓鱼电子邮件在受害者之间横向移动，在此过程中破坏了将近18,000个电子邮件帐户。 叙利亚电子军（SEA）在英国《金融时报》入侵了电子邮件帐户，以窃取其他帐户凭据。金融时报获悉该攻击并开始警告员工该威胁后，SEA发送了仿冒金融时报IT部门的网络钓鱼电子邮件，并能够危害更多用户。

Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged attack where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.

Adversaries may leverage Spearphishing Attachment or Spearphishing Link as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through Input Capture on sites that mimic email login interfaces.

There have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process. The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the attack and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.

标签

ID编号： T1534

策略： 横向运动

平台： Windows，macOS，Linux，Office 365，SaaS

所需权限： user

数据源： SSL/TLS检查，DNS记录，防病毒，Web代理，文件监视，邮件服务器，Office 365跟踪日志

缓解措施

这种攻击技术无法通过预防性控制轻松缓解，因为它基于滥用系统功能。

his type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

检测

网络入侵检测系统和电子邮件网关通常不扫描内部电子邮件，但是组织可以利用基于日记的解决方案，该解决方案将电子邮件的副本发送到安全服务以进行脱机分析，或者使用内部部署或API-合并服务集成的解决方案。基于基础的集成，以帮助检测内部的鱼叉式攻击。

Network intrusion detection systems and email gateways usually do not scan internal email, but an organization can leverage the journaling-based solution which sends a copy of emails to a security service for offline analysis or incorporate service-integrated solutions using on-premise or API-based integrations to help detect internal spearphishing attacks

- 译者: 林妙倩、戴亦仑 . source:cve.scap.org.cn