Description
Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., Email Hiding Rules).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by Email Spoofing(Citation: Proofpoint-spoof) the identity of the sender, which can be used to fool both the human recipient as well as automated security tools,(Citation: cyberproof-double-bounce) or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., "thread hijacking").(Citation: phishing-krebs)
Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., User Execution).(Citation: Unit42 Luna Moth)
Platforms
Sub-Techniques (4)
Spearphishing Attachment
T1566.002Spearphishing Link
T1566.003Spearphishing via Service
T1566.004Spearphishing Voice
Mitigations (6)
AuditM1047
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.
Network Intrusion PreventionM1031
Network intrusion prevention systems and systems designed to scan and remove malicious email attachments or links can be used to block activity.
Software ConfigurationM1054
Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation
Restrict Web-Based ContentM1021
Determine if certain websites or attachment types (ex: .scr, .exe, .pif, .cpl, etc.) that can be used for phishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
Antivirus/AntimalwareM1049
Anti-virus can automatically quarantine suspicious files.
User TrainingM1017
Users can be trained to identify social engineering techniques and phishing emails.
Threat Groups (8)
| ID | Group | Context |
|---|---|---|
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used spearphishing to gain initial access and intelligence.(Citation: MSFT-AI)(Citation: Mandiant... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has emailed victims threatening messages.(Citation: DOJ FBI Handala Hack March 2026) [VOID MAN... |
| G1032 | INC Ransom | [INC Ransom](https://attack.mitre.org/groups/G1032) has used phishing to gain initial access.(Citation: SOCRadar INC Ransom January 2024)(Citation: Se... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has sent phishing emails to targets from the email address support@microsoftonlines[.]com.(Citatio... |
| G1041 | Sea Turtle | [Sea Turtle](https://attack.mitre.org/groups/G1041) used spear phishing to gain initial access to victims.(Citation: Talos Sea Turtle 2019) |
| G0001 | Axiom | [Axiom](https://attack.mitre.org/groups/G0001) has used spear phishing to initially compromise victims.(Citation: Cisco Group 72)(Citation: Novetta-Ax... |
| G1049 | AppleJeus | [AppleJeus](https://attack.mitre.org/groups/G1049) has used spearphishing emails to distribute malicious payloads.(Citation: dtex DPRK 2025 structure ... |
| G0115 | GOLD SOUTHFIELD | [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) has conducted malicious spam (malspam) campaigns to gain access to victim's machines.(Citatio... |
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S0009 | Hikit | Malware | [Hikit](https://attack.mitre.org/software/S0009) has been spread through spear phishing.(Citation: Novetta-Axiom) |
| S1139 | INC Ransomware | Malware | [INC Ransomware](https://attack.mitre.org/software/S1139) campaigns have used spearphishing emails for initial access.(Citation: SentinelOne INC Ranso... |
| S1073 | Royal | Malware | [Royal](https://attack.mitre.org/software/S1073) has been spread through the use of phishing campaigns including "call back phishing" where victims ar... |
References
- Brian Krebs. (2024, March 28). Thread Hijacking: Phishes That Prey on Your Curiosity. Retrieved September 27, 2024.
- CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring and Management Software. Retrieved February 2, 2023.
- Itkin, Liora. (2022, September 1). Double-bounced attacks with email spoofing . Retrieved February 24, 2023.
- Kristopher Russo. (n.d.). Luna Moth Callback Phishing Campaign. Retrieved February 2, 2023.
- Microsoft. (2023, September 22). Malicious OAuth applications abuse cloud email services to spread spam. Retrieved March 13, 2023.
- Oren Biderman, Tomer Lahiyani, Noam Lifshitz, Ori Porag. (n.d.). LUNA MOTH: THE THREAT ACTORS BEHIND RECENT FALSE SUBSCRIPTION SCAMS. Retrieved February 2, 2023.
- Proofpoint. (n.d.). What Is Email Spoofing?. Retrieved February 24, 2023.
- Vicky Ray and Rob Downs. (2014, October 29). Examining a VBA-Initiated Infostealer Campaign. Retrieved March 13, 2023.
Frequently Asked Questions
What is T1566 (Phishing)?
T1566 is a MITRE ATT&CK technique named 'Phishing'. It belongs to the Initial Access tactic(s). Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spe...
How can T1566 be detected?
Detection of T1566 (Phishing) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1566?
There are 6 documented mitigations for T1566. Key mitigations include: Audit, Network Intrusion Prevention, Software Configuration, Restrict Web-Based Content, Antivirus/Antimalware.
Which threat groups use T1566?
Known threat groups using T1566 include: Kimsuky, VOID MANTICORE, INC Ransom, MuddyWater, Sea Turtle, Axiom, AppleJeus, GOLD SOUTHFIELD.