Description
Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.
All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email. In some cases, they may rely upon the recipient populating information, then returning the file.(Citation: Sophos Attachment)(Citation: GitHub Phishery) The text of the spearphishing email usually tries to give a plausible reason why the file should be filled-in, such as a request for information from a business associate. In other cases, adversaries may leverage techniques such as HTML Smuggling to harvest user credentials via fake login portals.(Citation: Huntress HTML Smuggling 2024)
Adversaries may also use information from previous reconnaissance efforts (ex: Search Open Websites/Domains or Search Victim-Owned Websites) to craft persuasive and believable lures.
Platforms
Mitigations (2)
User TrainingM1017
Users can be trained to identify social engineering techniques and spearphishing attempts.
Software ConfigurationM1054
Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.(Citation: Microsoft Anti Spoofing)(Citation
Threat Groups (4)
| ID | Group | Context |
|---|---|---|
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has used spearphishing with Microsoft Office attachments to enable harvesting of user credentials.(... |
| G1033 | Star Blizzard | [Star Blizzard](https://attack.mitre.org/groups/G1033) has sent emails to establish rapport with targets eventually sending messages with attachments ... |
| G0121 | Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has sent e-mails with malicious attachments that lead victims to credential harvesting websites.(C... |
| G1008 | SideCopy | [SideCopy](https://attack.mitre.org/groups/G1008) has crafted generic lures for spam campaigns to collect emails and credentials for targeting efforts... |
References
- Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.
- Ducklin, P. (2020, October 2). Serious Security: Phishing without links – when phishers bring along their own web pages. Retrieved October 20, 2020.
- Matt Kiely. (2024, July 5). Smuggler’s Gambit: Uncovering HTML Smuggling Adversary in the Middle Tradecraft. Retrieved March 18, 2025.
- Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.
- Ryan Hanson. (2016, September 24). phishery. Retrieved October 23, 2020.
Frequently Asked Questions
What is T1598.002 (Spearphishing Attachment)?
T1598.002 is a MITRE ATT&CK technique named 'Spearphishing Attachment'. It belongs to the Reconnaissance tactic(s). Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets...
How can T1598.002 be detected?
Detection of T1598.002 (Spearphishing Attachment) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1598.002?
There are 2 documented mitigations for T1598.002. Key mitigations include: User Training, Software Configuration.
Which threat groups use T1598.002?
Known threat groups using T1598.002 include: Dragonfly, Star Blizzard, Sidewinder, SideCopy.