Prioritizing MITRE ATT&CK Techniques for Phishing Defense

6 minute read

  • Yannay Mizrachi
Adobe Firefly: photorealistic image of an office where people with human bodies and fish heads are sitting at their computers to represent the cybersecurity term phishing

The first in a series looking at where security teams can understand the most commonly exploited gaps in defenses and how they can use their existing security tools to defend against real-world threats.

By Yannay Mizrachi – Security Researcher

Overview: What is a MITRE ATT&CK Technique?

In the MITRE ATT&CK Matrix for Enterprise, techniques describe the methods an adversary uses to achieve a tactical objective through specific actions. With over 200 techniques and 435 sub-techniques, how should security teams prioritize them?

MITRE ATT&CK Technique Prioritization 

To help customers decide what techniques to prioritize, Nagomi analyzed the techniques used most frequently in groups and campaigns. We then cross-referenced the techniques, groups, and campaigns against defenses to pinpoint where security teams can make the most impact. Leveraging our vast dataset encompassing hundreds of campaigns and monitoring millions of assets, the analysis calculates and prioritizes techniques rooted in real-world threats coupled with insights into tool underutilization.  

Top MITRE ATT&CK Techniques with the Largest Security Tool Underutilization

Here are the most frequently used techniques with the biggest tool underutilization in cybersecurity today:

  1. Phishing
  2. Remote services
  3. Valid accounts
  4. OS credential dumping
  5. Command and scripting interpreter

Phishing: The #1 Most Frequently Used MITRE ATT&CK Technique with the Largest Security Tool Underutilization

What is Phishing in MITRE ATT&CK Terminology?

Adversaries utilize phishing to gain unauthorized access to victim systems. This method involves sending deceptive communications, either broadly distributed or targeted. The phishing messages might contain malicious attachments or links intended to execute harmful code. Phishing often leverages trusted platforms like social media, and employs techniques such as email format manipulations or sender identity spoofing to evade detection. Victims may also be instructed to engage in actions like visiting malicious URLs or installing remote access tools through directed phone calls. These tactics are designed to compromise security both at an individual and a system-wide level.

Phishing as a MITRE ATT&CK Tactic for Initial Access

Initial Access involves techniques adversaries use to enter a network. They might gain their first foothold by Spearphishing or Pharming. Once inside, this access can lead to more persistent control.

Example Group Using Phishing: Black Basta 

Black Basta is a ransomware operator and Ransomware-as-a-Service (RaaS) criminal enterprise that first emerged in early 2022 and immediately became one of the most active RaaS threat actors in the world. Black Basta uses common initial access such as phishing. For more information about Black Basta, read the Nagomi blog post: What is Black Basta?

The Phishing Capabilities Screen in the Nagomi Platform

3 Approaches to Defend Against Phishing Using Existing Security Tools 

The following section outlines three ways to improve your defense against phishing using the tools you may already have. For each, we’ll start by describing the defensive mechanism and we’ll then use a detailed example. 

A. Defending Against Phishing with Email Security Awareness Training

By performing Security Awareness Training, you can raise employees’ awareness of security risks such as phishing, social engineering, and other techniques that involve user interaction. The above is known to be one of the top causes of successful phishing attempts and therefore should be prioritized. This helps users identify and avoid potential threats, reducing the likelihood of successful attacks.

Feature: Bi-Weekly Phishing Security Testing

Performing a phishing security test enhances users’ security awareness and their ability to identify phishing attempts. The recommended frequency for conducting phishing security tests is once every two weeks, which provides better results than conducting tests once a month as it keeps users alert and aware of phishing attacks.

Example:  Using Knowbe4 KMSAT

Go to your KMSAT console and navigate to Phishing+Create Phishing Campaign.

  1. On the New Phishing Campaign page, you can customize your phishing campaign in any way you like, however make sure to select the frequency option of Bi-Weekly.
  2. Click Create Campaign to save your changes.
The Email Security Awareness Training Capability in the Nagomi Platform

B. Defending Against Phishing with Multi-Factor Authentication (MFA)

By enabling Multi-Factor Authentication (MFA), you can deter hackers from accessing accounts, even if they have the username and password. This significantly boosts your security by adding an extra layer of defense against phishing, making it more difficult for attackers to bypass.

Feature: Enable Multi-Factor Authentication (MFA) 

Setting up MFA service settings and enabling MFA for all accounts (excluding emergency and service accounts).

Example: Using Microsoft Entra

  1. Sign into the Microsoft Entra Admin Center with Conditional Access Administrator role.
  2. Go to Protection > Conditional Access and click ‘Create new policy‘.
  3. Name your policy according to your organization’s standards.
  4. Under Assignments, select ‘All Users’, excluding your organization’s emergency accounts.
  5. For Target resources, include ‘All Cloud Apps’, excluding those not needing MFA.
  6. In Access controls, set to ‘Grant access’ and require multi factor authentication.
  7. Confirm settings, start with ‘Enable policy’ set to ‘Report-only’, then create the policy.
  8. After testing in report-only mode, change ‘Enable policy’ to ‘On’ to fully implement the policy.
  9. For exclusion recommendation and more information read here.
The Multi-Factor Authenticator (MFA) Capability in the Nagomi Platform

C. Defending Against Phishing Using Email Authentication Protocols

By configuring Email Authentication Protocols, you can prevent hackers from sending emails that appear to come from your domain, protecting users from phishing attacks and maintaining the integrity and trustworthiness of your domain. These protocols verify the sender’s identity, ensuring that the received emails are genuinely from the claimed source and haven’t been modified during transit.

Feature: SPF Record – ‘all’ Mechanism 

Sender Policy Framework (SPF) authenticates email senders. By setting an SPF record – a DNS TXT record listing authorized IP addresses – Internet Service Providers can confirm that a mail server is permitted to send emails for a domain. SPF is crucial for verifying authorized email infrastructures and offers significant benefits when implemented.

The ‘all’ parameter in SPF records is a catch-all mechanism. Its importance is determined by its prefix:

  • +all allows any server to send emails which is not the recommended configuration
  • ?all is neutral and doesn’t influence the decision of authorizing servers
  • ~all indicates a soft fail, suggesting some emails might not align with the policy but can be accepted
  • -all denotes a strict fail, allowing only specified servers to send mail for the domain, offering the strongest protection against email spoofing

Example: Optimizing ‘all’ Mechanism in SPF Records

The correct use of the all qualifier is vital for effective SPF security. To enhance email security, configure the ‘all’ mechanism in your SPF (Sender Policy Framework) record in the most optimized way, ensuring that it aligns with the domain’s email security requirements. Avoid using ‘+all’ qualifier, which allows any server to send emails. Consider using ‘-all’ qualifier for strict email authentication.

The Email Authentication Protocol Capability in the Nagomi Platform


In conclusion, understanding and prioritizing MITRE ATT&CK techniques, especially in combating phishing attacks, is paramount in fortifying defenses against real-world threats. By analyzing the most frequently exploited gaps and cross-referencing them with existing security tools, Nagomi provides invaluable insights into where security teams can make the most significant impact.

Phishing, as the most frequently used MITRE ATT&CK technique with significant tool underutilization, poses a substantial risk to organizations. Its insidious nature, coupled with the myriad of tactics employed by adversaries, necessitates a robust defense strategy.

Through examples such as the Black Basta ransomware group and actionable defense mechanisms like Security Awareness Training, Multi-Factor Authentication (MFA), and Email Authentication Protocols, organizations can bolster their resilience against phishing attacks using their existing security infrastructure.

As we continue this series, we’ll delve deeper into other MITRE ATT&CK techniques, equipping security teams with the knowledge and tools needed to stay one step ahead of evolving threats. With a proactive approach and leveraging the capabilities of existing security tools, we can effectively close the most urgent and exploited gaps, safeguarding our digital assets and maintaining the integrity of our systems.

To see how Nagomi can help you maximize the effectiveness of your tools, check out the Nagomi Proactive Defense Platform or book a demo


Cybersecurity News, Nagomi News

More like this
nagomi infrared


Leading the Charge in Proactive Security, Nagomi Security Joins Elite Ranks of Cloud Infrastructure Innovators

FacebookLinkedInTweetEmail Nagomi Security, the leader in proactive security and threat exposure management, proudly announces its inclusion ...

Read the post: Leading the Charge in Proactive Security, Nagomi Security Joins Elite Ranks of Cloud Infrastructure Innovators
nagomi infrared 100


Heavy Hitter: Nagomi Named to Redpoint’s InfraRed 55 Days After Emerging from Stealth

FacebookLinkedInTweetEmail Since emerging from stealth in April, Nagomi Security has swiftly captured attention as one of ...

Read the post: Heavy Hitter: Nagomi Named to Redpoint’s InfraRed 55 Days After Emerging from Stealth


This Week in Cybersecurity News: New York Times Olympic Auto Parts Edition

FacebookLinkedInTweetEmail NYT source code leaks, Advance Auto Parts customer data for sale, Frontier warns of data ...

Read the post: This Week in Cybersecurity News: New York Times Olympic Auto Parts Edition