钓鱼是通过电子化手段传递社交工程攻击的技术,攻击者伪造可信来源诱导受害者执行恶意操作,典型方式包括恶意附件投递、欺诈链接诱导、第三方服务滥用等。传统防御主要依赖邮件网关过滤、URL信誉分析、附件沙箱检测等手段,通过识别发件人伪造特征、恶意域名关联性、文档宏代码特征等维度实施拦截。但随着攻击者对抗手段升级,基于静态规则匹配的防御体系面临严峻挑战。
为突破传统检测机制,现代钓鱼攻击演进形成多维匿迹技术体系,其核心变革在于将攻击行为深度融入合法业务流程,并通过动态变异、环境适配、资源分散等策略实现"隐形化"攻击。攻击者不再追求大规模批量投递,而是转向精准化、持续化、隐蔽化的高级钓鱼范式,构建起适应现代防御体系的隐匿攻击链路。
当前钓鱼匿迹技术主要沿着三个方向实现突破:首先是通过实时内容生成技术消解攻击特征稳定性,使每次钓鱼攻击在文件哈希、文本内容、链接结构等维度呈现唯一性,突破基于特征库的检测机制;其次是利用可信平台业务流程实施攻击中间件寄生,例如通过正规社交平台的OAuth授权机制绕过传统检测通道,将恶意操作隐藏在加密API通信中;最后是构建分布式攻击基础设施,通过全球节点协同和低密度攻击节奏控制,将传统集中式钓鱼活动解构为碎片化、长周期的离散攻击事件。这三类技术的共同特征在于突破协议层对抗的传统范式,转而从业务逻辑层构建攻击面,通过"合法化改造"使恶意行为获得表面合规性,同时利用现代互联网服务的复杂性制造检测盲区。
匿迹技术的演进倒逼防御体系向行为分析、上下文感知等维度升级。传统基于单点特征检测的静态防御模式已无法应对动态化、分布式的钓鱼攻击,防御方需构建跨邮件流、API访问、用户行为的多维度关联分析能力,同时结合实时威胁情报共享机制,实现对隐匿钓鱼攻击链的全生命周期监测与阻断。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ✅ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
攻击者通过深度伪造技术模仿合法业务实体特征,包括精准复刻企业邮件模板、盗用经过认证的社交媒体应用身份、动态生成与目标业务场景匹配的钓鱼内容等。例如在OAuth劫持攻击中,钓鱼页面完全托管在社交平台白名单域名下,页面视觉元素与平台官方界面保持像素级一致,实现钓鱼载体与合法服务的特征融合。
通过滥用现代互联网服务的标准业务流程实施攻击,例如利用社交平台的标准OAuth授权流程窃取访问令牌,或通过云存储服务的合法文件共享功能投递恶意载荷。这些攻击手法完全遵循目标平台的业务规范,使得传统基于异常行为检测的防御机制难以识别偏离正常模式的操作。
采用端到端加密通信隐藏攻击痕迹,包括使用HTTPS协议传输钓鱼页面、通过加密附件托管恶意代码、在API通信中加密敏感操作指令等。在分布式低密度攻击中,攻击者还采用Tor网络或商业VPN服务对命令控制信道进行加密,阻断防御方的流量分析企图。
通过全球化僵尸网络实施攻击任务分片,将传统高密度钓鱼活动拆解为低频次、多地域的离散事件。单个邮件网关接收到的恶意邮件数量始终低于检测阈值,且攻击源IP分布在不同司法管辖区域,使得基于时空聚类分析的检测算法难以有效关联攻击事件。
| ID | Name | Description |
|---|---|---|
| G0001 | Axiom |
Axiom has used spear phishing to initially compromise victims.[1][2] |
| G0115 | GOLD SOUTHFIELD |
GOLD SOUTHFIELD has conducted malicious spam (malspam) campaigns to gain access to victim's machines.[3] |
| S0009 | Hikit | |
| G1032 | INC Ransom |
INC Ransom has used phishing to gain initial access.[4][5] |
| S1139 | INC Ransomware |
INC Ransomware campaigns have used spearphishing emails for initial access.[5] |
| S1073 | Royal |
Royal has been spread through the use of phishing campaigns including "call back phishing" where victims are lured into calling a number provided through email.[6][7][8] |
| ID | Mitigation | Description |
|---|---|---|
| M1049 | Antivirus/Antimalware |
Anti-virus can automatically quarantine suspicious files. |
| M1047 | Audit |
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
| M1031 | Network Intrusion Prevention |
Network intrusion prevention systems and systems designed to scan and remove malicious email attachments or links can be used to block activity. |
| M1021 | Restrict Web-Based Content |
Determine if certain websites or attachment types (ex: .scr, .exe, .pif, .cpl, etc.) that can be used for phishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk. |
| M1054 | Software Configuration |
Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.[9][10] |
| M1017 | User Training |
Users can be trained to identify social engineering techniques and phishing emails. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0015 | Application Log | Application Log Content |
Monitor for third-party application logging, messaging, and/or other artifacts that may send phishing messages to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[9][10] URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link. Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events. |
| DS0022 | File | File Creation |
Monitor for newly constructed files from a phishing messages to gain access to victim systems. |
| DS0029 | Network Traffic | Network Traffic Content |
Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[9][10] |
| Network Traffic Flow |
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |