Applied Cybernetics Group
T1566.001 — Spearphishing Attachment
- Technique
T1566.001- Tactics
- Initial Access
- MISP citations
- 0
- KEV CVEs mapped
- 7
- Community rules
- 24
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1566/001
MITRE description
Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.(Citation: Unit 42 DarkHydrus July 2018) Spearphishing may also involve social engineering techniques, such as posing as a trusted source. There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
Detection coverage
SigmaHQ community rules
- Exploit for CVE-2017-0261 (emerging-threats)
- Droppers Exploiting CVE-2017-11882 (emerging-threats)
- Exploit for CVE-2017-8759 (emerging-threats)
- Ursnif Malware C2 URL Pattern (emerging-threats)
- HTML File Opened From Download Folder (threat-hunting)
- Suspicious Email Delivered In Microsoft 365 (core)
- Disk Image Mounting Via Hdiutil - MacOS (core)
- ISO Image Mounted (core)
- Password Protected ZIP File Opened (Email Attachment) (core)
- Potential Initial Access via DLL Search Order Hijacking (core)
- ISO File Created Within Temp Folders (core)
- ISO or Image Mount Indicator in Recent Files (core)
- Office Macro File Creation (core)
- Office Macro File Download (core)
- Office Macro File Creation From Suspicious Process (core)
- Suspicious File Created in Outlook Temporary Directory (core)
- HTML Help HH.EXE Suspicious Child Process (core)
- Suspicious HH.EXE Execution (core)
- Suspicious HWP Sub Processes (core)
- Suspicious Microsoft OneNote Child Process (core)
- Suspicious Execution From Outlook Temporary Folder (core)
- Arbitrary Shell Command Execution Via Settingcontent-Ms (core)
- Suspicious Double Extension File Execution (core)
- Windows Registry Trust Record Modification (core)