Description
Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution.(Citation: Unit 42 DarkHydrus July 2018) Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.
Platforms
Mitigations (7)
Antivirus/AntimalwareM1049
Anti-virus can also automatically quarantine suspicious files.
User Account ManagementM1018
Apply user account management principles to limit permissions for accounts interacting with email attachments, ensuring that only necessary accounts have the ability to open or execute files. Restricting account privileges reduces the potential impact of malicious attachments by preventing unauthorized execution or spread of malware within the environment.
AuditM1047
Enable auditing and monitoring for email attachments and file transfers to detect and investigate suspicious activity. Regularly review logs for anomalies related to attachments containing potentially malicious content, as well as any attempts to execute or interact with these files. This practice helps identify spearphishing attempts before they can lead to further compromise.
Network Intrusion PreventionM1031
Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity.
Software ConfigurationM1054
Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation
User TrainingM1017
Users can be trained to identify social engineering techniques and spearphishing emails.
Restrict Web-Based ContentM1021
Block unknown or unused attachments by default that should not be transmitted over email as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some email scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious attachments.
Threat Groups (78)
| ID | Group | Context |
|---|---|---|
| G0080 | Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) has sent spearphishing emails with various attachment types to corporate and personal email acco... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has targeted victims with spearphishing emails containing malicious Microsoft Word documents.(C... |
| G1031 | Saint Bear | [Saint Bear](https://attack.mitre.org/groups/G1031) uses a variety of file formats, such as Microsoft Office documents, ZIP archives, PDF documents, a... |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) sent spearphishing emails that contained malicious Microsoft Office and fake installer file at... |
| G0037 | FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has targeted victims with e-mails containing malicious attachments.(Citation: Visa FIN6 Feb 2019) |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) sent spearphishing emails containing malicious Microsoft Office and RAR attachments.(Citation: Unit 42 ... |
| G0018 | admin@338 | [admin@338](https://attack.mitre.org/groups/G0018) has sent emails with malicious Microsoft Office documents attached.(Citation: FireEye admin@338) |
| G0112 | Windshift | [Windshift](https://attack.mitre.org/groups/G0112) has sent spearphishing emails with attachment to harvest credentials and deliver malware.(Citation:... |
| G0060 | BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) used spearphishing emails with malicious Microsoft Word attachments to infect victims.(Citation... |
| G0090 | WIRTE | [WIRTE](https://attack.mitre.org/groups/G0090) has sent emails to intended victims with malicious MS Word and Excel attachments.(Citation: Kaspersky W... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has compromised third parties and used compromised accounts to send spearphishing emails with targ... |
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has sent malicious Office documents via email as part of spearphishing campaigns as well as executab... |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has used e-mail to deliver malicious attachments to victims.(Citation: Trend Micro DRBContr... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has delivered spearphishing emails with malicious attachments to targets.(Citation: TrendMicr... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) has sent spearphishing emails with a malicious executable disguised as a document or spreadsheet.(Citat... |
| G0012 | Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012) has sent spearphishing emails with malicious RAR and .LNK attachments.(Citation: Securelist Darkhot... |
| G1002 | BITTER | [BITTER](https://attack.mitre.org/groups/G1002) has sent spearphishing emails with a malicious RTF document or Excel spreadsheet.(Citation: Cisco Talo... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used spearphishing emails with an attachment to deliver files with exploits to initial victims.(Cit... |
| G0100 | Inception | [Inception](https://attack.mitre.org/groups/G0100) has used weaponized documents attached to spearphishing emails for reconnaissance and initial compr... |
| G1011 | EXOTIC LILY | [EXOTIC LILY](https://attack.mitre.org/groups/G1011) conducted an e-mail thread-hijacking campaign with malicious ISO attachments.(Citation: Google EX... |
Associated Software (60)
| ID | Name | Type | Context |
|---|---|---|---|
| S0669 | KOCTOPUS | Malware | [KOCTOPUS](https://attack.mitre.org/software/S0669) has been distributed via spearphishing emails with malicious attachments.(Citation: MalwareBytes L... |
| S0447 | Lokibot | Malware | [Lokibot](https://attack.mitre.org/software/S0447) is delivered via a malicious XLS attachment contained within a spearhpishing email.(Citation: Talos... |
| S0331 | Agent Tesla | Malware | The primary delivered mechanism for [Agent Tesla](https://attack.mitre.org/software/S0331) is through email phishing messages.(Citation: Bitdefender A... |
| S1064 | SVCReady | Malware | [SVCReady](https://attack.mitre.org/software/S1064) has been distributed via spearphishing campaigns containing malicious Mircrosoft Word documents.(C... |
| S1066 | DarkTortilla | Malware | [DarkTortilla](https://attack.mitre.org/software/S1066) has been distributed via spearphishing emails containing archive attachments, with file types ... |
| S0428 | PoetRAT | Malware | [PoetRAT](https://attack.mitre.org/software/S0428) was distributed via malicious Word documents.(Citation: Talos PoetRAT April 2020) |
| S0148 | RTM | Malware | [RTM](https://attack.mitre.org/software/S0148) has been delivered via spearphishing attachments disguised as PDF documents.(Citation: Unit42 Redaman J... |
| S0622 | AppleSeed | Malware | [AppleSeed](https://attack.mitre.org/software/S0622) has been distributed to victims through malicious e-mail attachments.(Citation: Malwarebytes Kims... |
| S0458 | Ramsay | Malware | [Ramsay](https://attack.mitre.org/software/S0458) has been distributed through spearphishing emails with malicious attachments.(Citation: Antiy CERT R... |
| S9037 | RustyWater | Malware | [RustyWater](https://attack.mitre.org/software/S9037) has sent spearphishing emails with the attachment Cybersecurity.doc, which served as the primary... |
| S0011 | Taidoor | Malware | [Taidoor](https://attack.mitre.org/software/S0011) has been delivered through spearphishing emails.(Citation: TrendMicro Taidoor) |
| S0585 | Kerrdown | Malware | [Kerrdown](https://attack.mitre.org/software/S0585) has been distributed through malicious e-mail attachments.(Citation: Amnesty Intl. Ocean Lotus Feb... |
| S0455 | Metamorfo | Malware | [Metamorfo](https://attack.mitre.org/software/S0455) has been delivered to victims via emails with malicious HTML attachments.(Citation: FireEye Metam... |
| S0631 | Chaes | Malware | [Chaes](https://attack.mitre.org/software/S0631) has been delivered by sending victims a phishing email containing a malicious .docx file.(Citation: C... |
| S1160 | Latrodectus | Malware | [Latrodectus](https://attack.mitre.org/software/S1160) has been distributed through reply-chain phishing emails with malicious attachments.(Citation: ... |
| S0499 | Hancitor | Malware | [Hancitor](https://attack.mitre.org/software/S0499) has been delivered via phishing emails with malicious attachments.(Citation: FireEye Hancitor) |
| S0332 | Remcos | Tool | [Remcos](https://attack.mitre.org/software/S0332) has been spread through emails containing malicious documents.(Citation: Fortinet Remcos Campaign NO... |
| S1087 | AsyncRAT | Tool | [AsyncRAT](https://attack.mitre.org/software/S1087) has been delivered via malicious email attachments.(Citation: Recorded Future TAG-144 AUG 2025) |
| S0660 | Clambling | Malware | [Clambling](https://attack.mitre.org/software/S0660) has been delivered to victim's machines through malicious e-mail attachments.(Citation: Trend Mic... |
| S0634 | EnvyScout | Malware | [EnvyScout](https://attack.mitre.org/software/S0634) has been distributed via spearphishing as an email attachment.(Citation: MSTIC Nobelium Toolset M... |
References
- Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.
- Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
- Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
- Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 17, 2024.
Frequently Asked Questions
What is T1566.001 (Spearphishing Attachment)?
T1566.001 is a MITRE ATT&CK technique named 'Spearphishing Attachment'. It belongs to the Initial Access tactic(s). Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing att...
How can T1566.001 be detected?
Detection of T1566.001 (Spearphishing Attachment) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1566.001?
There are 7 documented mitigations for T1566.001. Key mitigations include: Antivirus/Antimalware, User Account Management, Audit, Network Intrusion Prevention, Software Configuration.
Which threat groups use T1566.001?
Known threat groups using T1566.001 include: Cobalt Group, Lazarus Group, Saint Bear, Tropic Trooper, FIN6, APT28, admin@338, Windshift.