Esc
Spearphishing Link - T1566.002
(ATT&CK® Technique)
Definition
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1566002["Spearphishing Link"] --> |produces| URL["URL"]; class T1566002 OffensiveTechniqueNode;
class URL ArtifactNode; click URL href "/dao/artifact/d3f:URL";
click T1566002 href "/offensive-technique/attack/T1566.002/"; click URL href "/dao/artifact/d3f:URL"; T1566002["Spearphishing Link"] --> |produces| InboundInternetMailTraffic["Inbound Internet Mail Traffic"]; class T1566002 OffensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode; click InboundInternetMailTraffic href "/dao/artifact/d3f:InboundInternetMailTraffic";
click T1566002 href "/offensive-technique/attack/T1566.002/"; click InboundInternetMailTraffic href "/dao/artifact/d3f:InboundInternetMailTraffic"; T1566002["Spearphishing Link"] --> |produces| Email["Email"]; class T1566002 OffensiveTechniqueNode;
class Email ArtifactNode; click Email href "/dao/artifact/d3f:Email";
click T1566002 href "/offensive-technique/attack/T1566.002/"; click Email href "/dao/artifact/d3f:Email"; DecoyFile["Decoy File"] -->
| spoofs | Email["Email"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1566002["Spearphishing Link"] ;
class DecoyFile DefensiveTechniqueNode;
class Email ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; InboundSessionVolumeAnalysis["Inbound Session Volume Analysis"] -->
| analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
InboundSessionVolumeAnalysis["Inbound Session Volume Analysis"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class InboundSessionVolumeAnalysis DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click InboundSessionVolumeAnalysis href "/technique/d3f:InboundSessionVolumeAnalysis"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | Email["Email"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class Email ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | Email["Email"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class Email ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; URLAnalysis["URL Analysis"] -->
| analyzes | URL["URL"];
URLAnalysis["URL Analysis"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class URLAnalysis DefensiveTechniqueNode;
class URL ArtifactNode;
click URLAnalysis href "/technique/d3f:URLAnalysis"; HomoglyphDetection["Homoglyph Detection"] -->
| analyzes | Email["Email"];
HomoglyphDetection["Homoglyph Detection"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class HomoglyphDetection DefensiveTechniqueNode;
class Email ArtifactNode;
click HomoglyphDetection href "/technique/d3f:HomoglyphDetection"; HomoglyphDetection["Homoglyph Detection"] -->
| analyzes | URL["URL"];
class HomoglyphDetection DefensiveTechniqueNode;
class URL ArtifactNode;
click HomoglyphDetection href "/technique/d3f:HomoglyphDetection"; IdentifierActivityAnalysis["Identifier Activity Analysis"] -->
| analyzes | URL["URL"];
IdentifierActivityAnalysis["Identifier Activity Analysis"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class IdentifierActivityAnalysis DefensiveTechniqueNode;
class URL ArtifactNode;
click IdentifierActivityAnalysis href "/technique/d3f:IdentifierActivityAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | Email["Email"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class Email ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; SenderReputationAnalysis["Sender Reputation Analysis"] -->
| analyzes | Email["Email"];
SenderReputationAnalysis["Sender Reputation Analysis"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class SenderReputationAnalysis DefensiveTechniqueNode;
class Email ArtifactNode;
click SenderReputationAnalysis href "/technique/d3f:SenderReputationAnalysis"; SenderMTAReputationAnalysis["Sender MTA Reputation Analysis"] -->
| analyzes | Email["Email"];
SenderMTAReputationAnalysis["Sender MTA Reputation Analysis"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class SenderMTAReputationAnalysis DefensiveTechniqueNode;
class Email ArtifactNode;
click SenderMTAReputationAnalysis href "/technique/d3f:SenderMTAReputationAnalysis"; FileEviction["File Eviction"] -->
| deletes | Email["Email"];
FileEviction["File Eviction"] -.->
| may-evict | T1566002["Spearphishing Link"] ;
class FileEviction DefensiveTechniqueNode;
class Email ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; FileEncryption["File Encryption"] -->
| encrypts | Email["Email"];
FileEncryption["File Encryption"] -.->
| may-harden | T1566002["Spearphishing Link"] ;
class FileEncryption DefensiveTechniqueNode;
class Email ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; ContentQuarantine["Content Quarantine"] -->
| quarantines | Email["Email"];
ContentQuarantine["Content Quarantine"] -.->
| may-isolate | T1566002["Spearphishing Link"] ;
class ContentQuarantine DefensiveTechniqueNode;
class Email ArtifactNode;
click ContentQuarantine href "/technique/d3f:ContentQuarantine"; ContentModification["Content Modification"] -->
| modifies | Email["Email"];
ContentModification["Content Modification"] -.->
| may-isolate | T1566002["Spearphishing Link"] ;
class ContentModification DefensiveTechniqueNode;
class Email ArtifactNode;
click ContentModification href "/technique/d3f:ContentModification"; LocalFilePermissions["Local File Permissions"] -->
| restricts | Email["Email"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1566002["Spearphishing Link"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class Email ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1566002["Spearphishing Link"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; RestoreFile["Restore File"] -->
| restores | Email["Email"];
RestoreFile["Restore File"] -.->
| may-restore | T1566002["Spearphishing Link"] ;
class RestoreFile DefensiveTechniqueNode;
class Email ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] -->
| analyzes | Email["Email"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class FileAnalysis DefensiveTechniqueNode;
class Email ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; ContentFiltering["Content Filtering"] -->
| filters | Email["Email"];
ContentFiltering["Content Filtering"] -.->
| may-isolate | T1566002["Spearphishing Link"] ;
class ContentFiltering DefensiveTechniqueNode;
class Email ArtifactNode;
click ContentFiltering href "/technique/d3f:ContentFiltering"; URLReputationAnalysis["URL Reputation Analysis"] -->
| analyzes | URL["URL"];
URLReputationAnalysis["URL Reputation Analysis"] -.->
| may-detect | T1566002["Spearphishing Link"] ;
class URLReputationAnalysis DefensiveTechniqueNode;
class URL ArtifactNode;
click URLReputationAnalysis href "/technique/d3f:URLReputationAnalysis"; EmailRemoval["Email Removal"] -->
| deletes | Email["Email"];
EmailRemoval["Email Removal"] -.->
| may-evict | T1566002["Spearphishing Link"] ;
class EmailRemoval DefensiveTechniqueNode;
class Email ArtifactNode;
click EmailRemoval href "/technique/d3f:EmailRemoval"; InboundTrafficFiltering["Inbound Traffic Filtering"] -->
| filters | InboundInternetMailTraffic["Inbound Internet Mail Traffic"];
InboundTrafficFiltering["Inbound Traffic Filtering"] -.->
| may-isolate | T1566002["Spearphishing Link"] ;
class InboundTrafficFiltering DefensiveTechniqueNode;
class InboundInternetMailTraffic ArtifactNode;
click InboundTrafficFiltering href "/technique/d3f:InboundTrafficFiltering"; EmailFiltering["Email Filtering"] -->
| filters | Email["Email"];
EmailFiltering["Email Filtering"] -.->
| may-isolate | T1566002["Spearphishing Link"] ;
class EmailFiltering DefensiveTechniqueNode;
class Email ArtifactNode;
click EmailFiltering href "/technique/d3f:EmailFiltering"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | Email["Email"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1566002["Spearphishing Link"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class Email ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RestoreEmail["Restore Email"] -->
| restores | Email["Email"];
RestoreEmail["Restore Email"] -.->
| may-restore | T1566002["Spearphishing Link"] ;
class RestoreEmail DefensiveTechniqueNode;
class Email ArtifactNode;
click RestoreEmail href "/technique/d3f:RestoreEmail";