After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating Impersonation.[1]
For example, adversaries may leverage Spearphishing Attachment or Spearphishing Link as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through Input Capture on sites that mimic login interfaces.
Adversaries may also leverage internal chat apps, such as Microsoft Teams, to spread malicious content or engage users in attempts to capture sensitive information and/or credentials.[2]
| ID | Name | Description |
|---|---|---|
| G0047 | Gamaredon Group |
Gamaredon Group has used an Outlook VBA module on infected systems to send phishing emails with malicious attachments to other employees within the organization.[3] |
| G1001 | HEXANE |
HEXANE has conducted internal spearphishing attacks against executives, HR, and IT personnel to gain information and access.[4] |
| G0094 | Kimsuky |
Kimsuky has sent internal spearphishing emails for lateral movement after stealing victim information.[5] |
| G0065 | Leviathan |
Leviathan has conducted internal spearphishing within the victim's environment for lateral movement.[6] |
| C0022 | Operation Dream Job |
During Operation Dream Job, Lazarus Group conducted internal spearphishing from within a compromised organization.[7] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0054 | Internal Spearphishing via Trusted Accounts | AN0147 |
Sequence of internal email sent from a recently compromised user account (preceded by abnormal logon or device activity), with attachments or links leading to execution or credential harvesting. Defender observes: internal mail delivery to peers with high entropy attachments, followed by click events, process initiation, or credential prompts. |
| AN0148 |
Delivery of suspicious internal communication (e.g., Thunderbird, Evolution) using compromised internal accounts. Sequence of: unexpected user activity + mail transfer logs + download or execution of attachments. |
||
| AN0149 |
Abnormal Apple Mail use, including internal email relays followed by file execution or script events (e.g., attachments launched via Preview, terminal triggered from Mail.app) |
||
| AN0150 |
Internal spearphishing via SaaS applications (e.g., Slack, Teams, Gmail): message sent from compromised user with attachment or URL, followed by click and credential access behavior. |
||
| AN0151 |
Outlook or Word used to forward suspicious internal attachments with macro content. Defender observes attachment forwarding, auto-opening behaviors, or macro prompt interactions. |