G0085: FIN4
FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.[1][2] FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.[1][3]
Analyst context for executives and security teams
FIN4 matters because the ATT&CK description frames it as financially motivated and focused on confidential market-moving information, especially in healthcare and pharmaceutical contexts, without relying on typical persistent malware. The practical risk is not just endpoint compromise; it is unauthorized use of legitimate credentials to access email and non-public correspondence, which can bypass controls that are overly malware-centric.
Executive priority
Leaders should treat this as an identity, email, and sensitive-information protection problem. Priority questions include: can the organization prove who accessed executive, legal, finance, R&D, or deal-related mailboxes; are mailbox rule changes audited; and would incident response quickly revoke credentials, sessions, and tokens if a high-value mailbox were suspected compromised? This behavior also supports compliance evidence around access monitoring, privileged communications, and protection of confidential business information.
Technical view
ATT&CK provides no official detection text for FIN4, so defenders should validate coverage through the related techniques: spearphishing links and attachments, malicious link/file user execution, Visual Basic execution, credential capture through keylogging or GUI input capture, valid account abuse, remote email collection, email hiding rules, and web-protocol or multi-hop proxy command-and-control context. SOC teams should avoid relying only on malware alerts and should correlate email delivery, user clicks, identity sign-ins, mailbox access, inbox rule changes, and endpoint scripting activity.
Likely telemetry
- Email security gateway and phishing investigation logs for targeted links and attachments
- User-reported phishing and message trace data
- Identity provider authentication logs, including MFA, conditional access, source IP, device, and session context
- Mailbox audit logs for Exchange, Office 365, or Google Workspace access and search activity
- Inbox rule creation/modification/deletion events, especially rules that move, mark read, or delete mail
Detection direction
- Validate detections that join phishing delivery or click activity with subsequent unusual identity sign-ins and mailbox access.
- Tune mailbox monitoring for new or modified hiding rules, especially on executives, finance, legal, investor-relations, healthcare, pharmaceutical, or other sensitive correspondence roles where applicable.
- Hunt for valid-account activity from unusual locations, devices, user agents, or proxy infrastructure, while accounting for legitimate travel, VPN, and remote-work patterns.
- Review endpoint and email controls for document or script execution paths, including Visual Basic-related execution, rather than assuming malware persistence will be present.
- Use relationship context to prioritize correlation across initial access, execution, credential access, collection, stealth, and command-and-control techniques; no single event class is likely to be sufficient.
Mitigation priorities
- Prioritize strong identity controls for email and remote access, including MFA, conditional access, least privilege, and rapid credential/session revocation processes.
- Ensure mailbox auditing is enabled and retained long enough to support investigations into remote email collection and inbox rule abuse.
- Harden email security and user-reporting workflows for targeted links and attachments, with special attention to high-value business users.
- Restrict or monitor risky document/script execution paths, including Visual Basic-related execution where business use allows.
- Define IR playbooks for suspected mailbox compromise: preserve logs, disable malicious rules, revoke sessions/tokens, reset credentials, and review exposed correspondence.
Analyst notes and limits
The most important decision value is that FIN4, as described by ATT&CK, shifts defensive emphasis from malware persistence to credential abuse and email collection. For managed detection, identity monitoring and mailbox auditing are as important as endpoint telemetry. For incident response, the key question is whether investigators can reconstruct mailbox access and rule changes after credentials are captured.
Platforms and tactics are not specified on the FIN4 group object itself, and ATT&CK provides no official detection text. Platform and tactic context in this take comes from the supplied relationships to techniques. The source material supports historical targeting and behavior descriptions, but local exposure, current activity, and detection coverage must be established from the organization’s own telemetry.
FIN4
FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.[1][2] FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.[1][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1078 | Valid Accounts | FIN4 has used legitimate credentials to hijack email communications.CitationFireEye Hacking FIN4 Dec 2014CitationFireEye Hacking FIN4 Video Dec 2014 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | FIN4 has used VBA macros to display a dialog box and collect victim credentials.CitationFireEye Hacking FIN4 Dec 2014CitationFireEye Hacking FIN4 Video Dec 2014 |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | |
| Enterprise | T1204.002 | Malicious File Sub-technique | FIN4 has lured victims to launch malicious attachments delivered via spearphishing emails (often sent from compromised accounts).CitationFireEye Hacking FIN4 Dec 2014CitationFireEye Hacking FIN4 Video Dec 2014 |
| Enterprise | T1564.008 | Email Hiding Rules Sub-technique | FIN4 has created rules in victims' Microsoft Outlook accounts to automatically delete emails containing words such as “hacked," "phish," and “malware" in a likely attempt to prevent organizations from communicating about their activities.CitationFireEye Hacking FIN4 Dec 2014 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | FIN4 has lured victims to click malicious links delivered via spearphishing emails (often sent from compromised accounts).CitationFireEye Hacking FIN4 Dec 2014CitationFireEye Hacking FIN4 Video Dec 2014 |
| Enterprise | T1056.001 | Keylogging Sub-technique | FIN4 has captured credentials via fake Outlook Web App (OWA) login pages and has also used a .NET based keylogger.CitationFireEye Hacking FIN4 Dec 2014CitationFireEye Hacking FIN4 Video Dec 2014 |
| Enterprise | T1056.002 | GUI Input Capture Sub-technique | FIN4 has presented victims with spoofed Windows Authentication prompts to collect their credentials.CitationFireEye Hacking FIN4 Dec 2014CitationFireEye Hacking FIN4 Video Dec 2014 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | FIN4 has used spearphishing emails (often sent from compromised accounts) containing malicious links.CitationFireEye Hacking FIN4 Dec 2014CitationFireEye Hacking FIN4 Video Dec 2014 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | FIN4 has used spearphishing emails containing attachments (which are often stolen, legitimate documents sent from compromised accounts) with embedded malicious macros.CitationFireEye Hacking FIN4 Dec 2014CitationFireEye Hacking FIN4 Video Dec 2014 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | FIN4 has used HTTP POST requests to transmit data.CitationFireEye Hacking FIN4 Dec 2014CitationFireEye Hacking FIN4 Video Dec 2014 |
| Enterprise | T1114.002 | Remote Email Collection Sub-technique | FIN4 has accessed and hijacked online email communications using stolen credentials.CitationFireEye Hacking FIN4 Dec 2014CitationFireEye Hacking FIN4 Video Dec 2014 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 1fae6e0438ae… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye Hacking FIN4 Dec 2014
Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
Open source URL -
[2]
FireEye FIN4 Stealing Insider NOV 2014
Dennesen, K. et al.. (2014, November 30). FIN4: Stealing Insider Information for an Advantage in Stock Trading?. Retrieved November 17, 2024.
Open source URL -
[3]
FireEye Hacking FIN4 Video Dec 2014
Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.
Open source URL -
[4]
FIN4
(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye FIN4 Stealing Insider NOV 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)
-
[5]
mitre-attack G0085Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.