Applied Cybernetics Group
T1566 — Phishing
- Technique
T1566- Tactics
- Initial Access
- MISP citations
- 0
- KEV CVEs mapped
- 6
- Community rules
- 14
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1566
MITRE description
Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns. Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by [Email Spoofing](https://attack.mitre.org/techniques/T1684/002)(Citation: Proofpoint-spoof) the identity of the sender, which can be used to fool both the human recipient as well as automated security tools,(Citation: cyberproof-double-bounce) or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., "thread hijacking").(Citation: phishing-krebs) Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
Detection coverage
SigmaHQ community rules
- CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum (emerging-threats)
- CVE-2021-31979 CVE-2021-33771 Exploits (emerging-threats)
- WebDAV Temporary Local File Creation (threat-hunting)
- Potential Malicious Usage of CloudTrail System Manager (core)
- Okta FastPass Phishing Detection (core)
- Suspicious Execution via macOS Script Editor (core)
- Download From Suspicious TLD - Blacklist (core)
- Download From Suspicious TLD - Whitelist (core)
- Suspicious External WebDAV Execution (core)
- Potential Initial Access via DLL Search Order Hijacking (core)
- HTML Help HH.EXE Suspicious Child Process (core)
- Suspicious HH.EXE Execution (core)
- Suspicious Microsoft OneNote Child Process (core)
- Phishing Pattern ISO in Archive (core)