Esc
Spearphishing Attachment - T1566.001
(ATT&CK® Technique)
Definition
Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1566001["Spearphishing Attachment"] --> |produces| InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; class T1566001 OffensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click InboundInternetMailTraffic href "/dao/artifact/d3f:InboundInternetMailTraffic"; click T1566001 href "/offensive-technique/attack/T1566.001/"; click InboundInternetMailTraffic href "/dao/artifact/d3f:InboundInternetMailTraffic"; T1566001["Spearphishing Attachment"] --> |produces| Email["Email"]; class T1566001 OffensiveTechniqueNode; class Email ArtifactNode; click Email href "/dao/artifact/d3f:Email"; click T1566001 href "/offensive-technique/attack/T1566.001/"; click Email href "/dao/artifact/d3f:Email"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | Email["Email"]; DynamicAnalysis["Dynamic Analysis"] -.-> | May Detect | T1566001["Spearphishing Attachment"] ; class DynamicAnalysis DefensiveTechniqueNode; class Email ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | Email["Email"]; EmulatedFileAnalysis["Emulated File Analysis"] -.-> | May Detect | T1566001["Spearphishing Attachment"] ; class EmulatedFileAnalysis DefensiveTechniqueNode; class Email ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DecoyFile["Decoy File"] --> | spoofs | Email["Email"]; DecoyFile["Decoy File"] -.-> | May Deceive | T1566001["Spearphishing Attachment"] ; class DecoyFile DefensiveTechniqueNode; class Email ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] --> | analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.-> | May Detect | T1566001["Spearphishing Attachment"] ; class RemoteTerminalSessionDetection DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; InboundSessionVolumeAnalysis["Inbound Session Volume Analysis"] --> | analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; InboundSessionVolumeAnalysis["Inbound Session Volume Analysis"] -.-> | May Detect | T1566001["Spearphishing Attachment"] ; class InboundSessionVolumeAnalysis DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click InboundSessionVolumeAnalysis href "/technique/d3f:InboundSessionVolumeAnalysis"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] --> | analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.-> | May Detect | T1566001["Spearphishing Attachment"] ; class NetworkTrafficCommunityDeviation DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] --> | analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.-> | May Detect | T1566001["Spearphishing Attachment"] ; class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] --> | analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.-> | May Detect | T1566001["Spearphishing Attachment"] ; class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] --> | analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; Client-serverPayloadProfiling["Client-server Payload Profiling"] -.-> | May Detect | T1566001["Spearphishing Attachment"] ; class Client-serverPayloadProfiling DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] --> | analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.-> | May Detect | T1566001["Spearphishing Attachment"] ; class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; HomoglyphDetection["Homoglyph Detection"] --> | analyzes | Email["Email"]; HomoglyphDetection["Homoglyph Detection"] -.-> | May Detect | T1566001["Spearphishing Attachment"] ; class HomoglyphDetection DefensiveTechniqueNode; class Email ArtifactNode; click HomoglyphDetection href "/technique/d3f:HomoglyphDetection"; SenderMTAReputationAnalysis["Sender MTA Reputation Analysis"] --> | analyzes | Email["Email"]; SenderMTAReputationAnalysis["Sender MTA Reputation Analysis"] -.-> | May Detect | T1566001["Spearphishing Attachment"] ; class SenderMTAReputationAnalysis DefensiveTechniqueNode; class Email ArtifactNode; click SenderMTAReputationAnalysis href "/technique/d3f:SenderMTAReputationAnalysis"; SenderReputationAnalysis["Sender Reputation Analysis"] --> | analyzes | Email["Email"]; SenderReputationAnalysis["Sender Reputation Analysis"] -.-> | May Detect | T1566001["Spearphishing Attachment"] ; class SenderReputationAnalysis DefensiveTechniqueNode; class Email ArtifactNode; click SenderReputationAnalysis href "/technique/d3f:SenderReputationAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | Email["Email"]; FileIntegrityMonitoring["File Integrity Monitoring"] -.-> | May Detect | T1566001["Spearphishing Attachment"] ; class FileIntegrityMonitoring DefensiveTechniqueNode; class Email ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] --> | deletes | Email["Email"]; FileEviction["File Eviction"] -.-> | May Evict | T1566001["Spearphishing Attachment"] ; class FileEviction DefensiveTechniqueNode; class Email ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] --> | analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.-> | May Detect | T1566001["Spearphishing Attachment"] ; class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; LocalFilePermissions["Local File Permissions"] --> | restricts | Email["Email"]; LocalFilePermissions["Local File Permissions"] -.-> | May Harden | T1566001["Spearphishing Attachment"] ; class LocalFilePermissions DefensiveTechniqueNode; class Email ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileEncryption["File Encryption"] --> | encrypts | Email["Email"]; FileEncryption["File Encryption"] -.-> | May Harden | T1566001["Spearphishing Attachment"] ; class FileEncryption DefensiveTechniqueNode; class Email ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; RestoreFile["Restore File"] --> | restores | Email["Email"]; RestoreFile["Restore File"] -.-> | May Restore | T1566001["Spearphishing Attachment"] ; class RestoreFile DefensiveTechniqueNode; class Email ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; NetworkTrafficFiltering["Network Traffic Filtering"] --> | filters | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; NetworkTrafficFiltering["Network Traffic Filtering"] -.-> | May Isolate | T1566001["Spearphishing Attachment"] ; class NetworkTrafficFiltering DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; FileAnalysis["File Analysis"] --> | analyzes | Email["Email"]; FileAnalysis["File Analysis"] -.-> | May Detect | T1566001["Spearphishing Attachment"] ; class FileAnalysis DefensiveTechniqueNode; class Email ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; EmailRemoval["Email Removal"] --> | deletes | Email["Email"]; EmailRemoval["Email Removal"] -.-> | May Evict | T1566001["Spearphishing Attachment"] ; class EmailRemoval DefensiveTechniqueNode; class Email ArtifactNode; click EmailRemoval href "/technique/d3f:EmailRemoval"; RestoreEmail["Restore Email"] --> | restores | Email["Email"]; RestoreEmail["Restore Email"] -.-> | May Restore | T1566001["Spearphishing Attachment"] ; class RestoreEmail DefensiveTechniqueNode; class Email ArtifactNode; click RestoreEmail href "/technique/d3f:RestoreEmail"; EmailFiltering["Email Filtering"] --> | filters | Email["Email"]; EmailFiltering["Email Filtering"] -.-> | May Isolate | T1566001["Spearphishing Attachment"] ; class EmailFiltering DefensiveTechniqueNode; class Email ArtifactNode; click EmailFiltering href "/technique/d3f:EmailFiltering"; InboundTrafficFiltering["Inbound Traffic Filtering"] --> | filters | InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; InboundTrafficFiltering["Inbound Traffic Filtering"] -.-> | May Isolate | T1566001["Spearphishing Attachment"] ; class InboundTrafficFiltering DefensiveTechniqueNode; class InboundInternetMailTraffic ArtifactNode; click InboundTrafficFiltering href "/technique/d3f:InboundTrafficFiltering";