ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩、戴亦仑 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices


术语表: /attack/glossary




曾发生过使用内部鱼叉式鱼雷的显着事件。“ Eye Pyramid”使用带有恶意附件的网络钓鱼电子邮件在受害者之间横向移动,在此过程中破坏了将近18,000个电子邮件帐户。 叙利亚电子军(SEA)在英国《金融时报》入侵了电子邮件帐户,以窃取其他帐户凭据。金融时报获悉该攻击并开始警告员工该威胁后,SEA发送了仿冒金融时报IT部门的网络钓鱼电子邮件,并能够危害更多用户。

Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged attack where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.

Adversaries may leverage Spearphishing Attachment or Spearphishing Link as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through Input Capture on sites that mimic email login interfaces.

There have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process. The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the attack and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.


ID编号: T1534

策略: 横向运动

平台: Windows,macOS,Linux,Office 365,SaaS

所需权限: user

数据源: SSL/TLS检查,DNS记录,防病毒,Web代理,文件监视,邮件服务器,Office 365跟踪日志



his type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.



Network intrusion detection systems and email gateways usually do not scan internal email, but an organization can leverage the journaling-based solution which sends a copy of emails to a security service for offline analysis or incorporate service-integrated solutions using on-premise or API-based integrations to help detect internal spearphishing attacks