Esc
Internal Spearphishing - T1534
(ATT&CK® Technique)
Definition
After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating Impersonation.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1534["Internal Spearphishing"] --> |produces| Email["Email"]; class T1534 OffensiveTechniqueNode;
class Email ArtifactNode; click Email href "/dao/artifact/d3f:Email";
click T1534 href "/offensive-technique/attack/T1534/"; click Email href "/dao/artifact/d3f:Email"; HomoglyphDetection["Homoglyph Detection"] -->
| analyzes | Email["Email"];
HomoglyphDetection["Homoglyph Detection"] -.->
| may-detect | T1534["Internal Spearphishing"] ;
class HomoglyphDetection DefensiveTechniqueNode;
class Email ArtifactNode;
click HomoglyphDetection href "/technique/d3f:HomoglyphDetection"; SenderMTAReputationAnalysis["Sender MTA Reputation Analysis"] -->
| analyzes | Email["Email"];
SenderMTAReputationAnalysis["Sender MTA Reputation Analysis"] -.->
| may-detect | T1534["Internal Spearphishing"] ;
class SenderMTAReputationAnalysis DefensiveTechniqueNode;
class Email ArtifactNode;
click SenderMTAReputationAnalysis href "/technique/d3f:SenderMTAReputationAnalysis"; SenderReputationAnalysis["Sender Reputation Analysis"] -->
| analyzes | Email["Email"];
SenderReputationAnalysis["Sender Reputation Analysis"] -.->
| may-detect | T1534["Internal Spearphishing"] ;
class SenderReputationAnalysis DefensiveTechniqueNode;
class Email ArtifactNode;
click SenderReputationAnalysis href "/technique/d3f:SenderReputationAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | Email["Email"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1534["Internal Spearphishing"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class Email ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | Email["Email"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1534["Internal Spearphishing"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class Email ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; ContentQuarantine["Content Quarantine"] -->
| quarantines | Email["Email"];
ContentQuarantine["Content Quarantine"] -.->
| may-isolate | T1534["Internal Spearphishing"] ;
class ContentQuarantine DefensiveTechniqueNode;
class Email ArtifactNode;
click ContentQuarantine href "/technique/d3f:ContentQuarantine"; ContentModification["Content Modification"] -->
| modifies | Email["Email"];
ContentModification["Content Modification"] -.->
| may-isolate | T1534["Internal Spearphishing"] ;
class ContentModification DefensiveTechniqueNode;
class Email ArtifactNode;
click ContentModification href "/technique/d3f:ContentModification"; DecoyFile["Decoy File"] -->
| spoofs | Email["Email"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1534["Internal Spearphishing"] ;
class DecoyFile DefensiveTechniqueNode;
class Email ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; FileEncryption["File Encryption"] -->
| encrypts | Email["Email"];
FileEncryption["File Encryption"] -.->
| may-harden | T1534["Internal Spearphishing"] ;
class FileEncryption DefensiveTechniqueNode;
class Email ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | Email["Email"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1534["Internal Spearphishing"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class Email ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | Email["Email"];
FileEviction["File Eviction"] -.->
| may-evict | T1534["Internal Spearphishing"] ;
class FileEviction DefensiveTechniqueNode;
class Email ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; RestoreFile["Restore File"] -->
| restores | Email["Email"];
RestoreFile["Restore File"] -.->
| may-restore | T1534["Internal Spearphishing"] ;
class RestoreFile DefensiveTechniqueNode;
class Email ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; LocalFilePermissions["Local File Permissions"] -->
| restricts | Email["Email"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1534["Internal Spearphishing"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class Email ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; ContentFiltering["Content Filtering"] -->
| filters | Email["Email"];
ContentFiltering["Content Filtering"] -.->
| may-isolate | T1534["Internal Spearphishing"] ;
class ContentFiltering DefensiveTechniqueNode;
class Email ArtifactNode;
click ContentFiltering href "/technique/d3f:ContentFiltering"; FileAnalysis["File Analysis"] -->
| analyzes | Email["Email"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1534["Internal Spearphishing"] ;
class FileAnalysis DefensiveTechniqueNode;
class Email ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; EmailRemoval["Email Removal"] -->
| deletes | Email["Email"];
EmailRemoval["Email Removal"] -.->
| may-evict | T1534["Internal Spearphishing"] ;
class EmailRemoval DefensiveTechniqueNode;
class Email ArtifactNode;
click EmailRemoval href "/technique/d3f:EmailRemoval"; RestoreEmail["Restore Email"] -->
| restores | Email["Email"];
RestoreEmail["Restore Email"] -.->
| may-restore | T1534["Internal Spearphishing"] ;
class RestoreEmail DefensiveTechniqueNode;
class Email ArtifactNode;
click RestoreEmail href "/technique/d3f:RestoreEmail"; EmailFiltering["Email Filtering"] -->
| filters | Email["Email"];
EmailFiltering["Email Filtering"] -.->
| may-isolate | T1534["Internal Spearphishing"] ;
class EmailFiltering DefensiveTechniqueNode;
class Email ArtifactNode;
click EmailFiltering href "/technique/d3f:EmailFiltering"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | Email["Email"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1534["Internal Spearphishing"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class Email ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";