Full Report
Phishing attacks are no longer confined to the email inbox, with 1 in 3 phishing attacks now taking place over non-email channels like social media, search engines, and messaging apps. LinkedIn in particular has become a hotbed for phishing attacks, and for good reason. Attackers are running sophisticated spear-phishing attacks against company executives, with recent campaigns seen targeting
Analysis Summary
# Tool/Technique: Phishing Kits (General Mention)
## Overview
The use of general "phishing kits" is mentioned in the context of bypassing anti-phishing controls based on webpage inspection or web traffic analysis. These kits help automate and scale malicious operations.
## Technical Details
- Type: Tool (Framework/Kit)
- Platform: Web/Internet communication channels (specifically mentioned in the context of improving phishing legitimacy across platforms)
- Capabilities: Circumventing anti-phishing controls, rapid domain rotation.
- First Seen: Not specified in the provided text.
## MITRE ATT&CK Mapping
The core activity described relates to social engineering and the execution environment:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Conceptually related to delivering the lure)
- T1566.002 - Spearphishing Link (Directly applicable to URL-based attacks)
*Note: Since LinkedIn DMs are the channel, T1566.004 (Phishing: Spearphishing Link via Social Media) is highly relevant, though not explicitly detailed as a separate sub-technique in the standard matrix.*
## Functionality
### Core Capabilities
- Bypassing security analysis by employing an array of undisclosed methods.
- Facilitating attacks that rely on inspecting webpages or analyzing web traffic.
### Advanced Features
- Enabling rapid rotation of phishing domains to stay ahead of blocking/sinkholing efforts ("game of whack-a-mole").
## Indicators of Compromise
- File Hashes: N/A (Kit capability focus, not specific malware hashes)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Variable phishing domains used by the kits.
- Behavioral Indicators: Rapid changes in hosting infrastructure associated with known phishing campaigns.
## Associated Threat Actors
- Not explicitly named, but implied to be actors utilizing scalable, modern phishing infrastructure.
## Detection Methods
- Signature-based detection: Ineffective against rapidly rotated domains.
- Behavioral detection: Necessary to detect the pattern of rapid domain replacement.
- YARA rules: N/A
## Mitigation Strategies
- **Prevention measures:** Implementing security solutions capable of inspecting web traffic beyond traditional email gateways.
- **Hardening recommendations:** Enhancing browser security controls and ensuring traffic inspection is active on endpoints used for accessing social media platforms.
## Related Tools/Techniques
- Generic Phishing Frameworks
- Domain Generation Algorithms (DGAs) used for fast domain cycling.
---
# Technique: Phishing over Non-Email Channels (Social Media/Messaging)
## Overview
The technique involves shifting social engineering attacks away from traditional email to other communication platforms such as LinkedIn, messenger apps, and search engines. This targets high-value individuals (executives) often using corporate devices but outside the scope of email security monitoring.
## Technical Details
- Type: Technique
- Platform: LinkedIn, Social Media, Messaging Apps, Search Engines.
- Capabilities: Bypassing email security tools, leveraging existing trust networks on social platforms, targeting business accounts (e.g., Microsoft Entra, Google Workspace) via these side channels.
- First Seen: The article implies this is a recent, increasing trend ("1 in 3 phishing attacks now taking place over non-email channels").
## MITRE ATT&CK Mapping
This technique maps directly to Phishing, but emphasizes the non-email delivery vector.
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.004 - Phishing: Spearphishing Link via Social Media (Most applicable)
## Functionality
### Core Capabilities
- Delivering malicious links or lures directly to targeted individuals via direct messaging (DMs) on platforms like LinkedIn.
- Exploiting the perception that these channels are "personal" and thus less scrutinized by corporate security.
### Advanced Features
- **Spear-phishing against executives:** Tailoring messages specifically for high-value targets.
- **Bypassing email security:** Completely sidestepping primary phishing protections (DMARC, gateway scanning).
- **Leveraging compromised accounts:** Taking over legitimate accounts (often lacking MFA) to launch attacks with inherent user trust.
## Indicators of Compromise
- File Hashes: N/A (Focus is on the delivery mechanism)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Malicious URLs shared via DMs (which rotate rapidly).
- Behavioral Indicators: Unsolicited connection requests followed by immediate linkage sharing; messages originating from accounts with recent, suspicious activity (if account takeover occurred).
## Associated Threat Actors
- Not specified, but generally associated with financially motivated or state-sponsored groups targeting corporate credentials/data.
## Detection Methods
- Signature-based detection: Limited, as it relies on blocking specific URLs communicated via DM.
- Behavioral detection: Essential; monitoring communication patterns on social platforms used for business purposes.
- YARA rules: N/A
## Mitigation Strategies
- **Prevention measures:** Implementing security controls that extend visibility/scanning capabilities to corporate mobile devices used for accessing social media apps.
- **Hardening recommendations:** Mandating MFA across all "personal" applications used on corporate devices (e.g., LinkedIn). Enhancing user training specifically on social media threats.
- **Response:** Developing procedures for immediate response to successful social media phishing (e.g., locking down accessed corporate accounts if credentials were stolen).
## Related Tools/Techniques
- Account Takeover (T1078.004) - Crucial for maintaining credibility during the attack.
- Malicious Profile Creation (T1583.001 - Acquiring infrastructure used to set up deceptive profiles).